CIPHER SYSTEMS BASED ON 
CYCLIC DIFFERENCE SETS 


A Thesis Submitted 
in Partial Fulfilment of the Requirements 
for the Degree of 

MASTER OF TECHNOLOGY 


by 

M. SETHURAMAN 


to the 

DEPARTMENT OF ELECTRICAL ENGINEERING 

INDIAN INSTITUTE OF TECHNOLOGY. KANPUR 

FEBRUARY. 1986 



IJ.T. 



91928 



Lovingly dedicated 


to 

my wife Smt, Rama, kids K\imar & Menaka 
who made this achievement possible 


and to 


my thesis supervisor Dr. M.U, Siddiqi 
who made it worthwhile 



CERTIFICATE 

This is to certify that the thesis entitled "CIPHER 
SYSTEMS BASED ON CYCLIC DIFFERENCE SETS" has been carried out 
by Shri M. Sethuraman under my supervision and that it has not 
been submitted elsewhere for a degree. 



(M.U. SiddiqfDF 
Assistant Professor 


Department of Electrical Engineering 
Indian Institute of Technology/ KanpuJ 


Feb/ 1986 



ACKN0VILEDQEMENT3 


I am pleased tx> have written my thesis in the warm envi- 
ronment provided by ’younger* M.Tech. batehmates. Many of them 
willingly contributed towards the thesis, 

I am particularly thankful to the attention & encourage- 
ment received from my thesis supervisor Dr. M.U. Siddiqi. Many 
questions, raised by him during discussions, shaped the thesis 
into its present form. 

I profited from many discussions with Vellaisamy, 
Somesh Kiimar and L.S. Biradar at various stages of the thesis. 
They really took pains to clear some of my misconceptions. 

My wife and kids deserve more than thanks. She devoted 
her energy to the family and insulated me completely from this 
responsibility of mine, so that I could pursue my degree. This 
thesis is as much theirs as it is mine, 

I am especially grateful to Dr, R.P. Shenoy, Director, 
LRDE and Mr, V.G. Rao, Divisional Officer, B Communication 
Division, LRDE for sponsoring me to the course. I also thank 
Mr, R, Subramaniam and Mr. N. Si tar mi who eviriced keen interest 
on my thesis. 



My heartfelt thanks is due to Mr. V.S. Mahalingam who 
willingly took care of my financial and administrative proolem 
at Bangalore. 

Finally I appreciate Mr. Raj Khanna for the excellent 
typing of the thesis, from an almost illegible manuscript. 


M. SETHURAMAN 



nPNTENTS 


List of Tables 


List of Figures 


Abstract 
Chapter 1. 

Chapter 2. 


introduction 

1 1 Scope of the Present Work 

l]2 organisation of the Thesis 

cryptographic systems 
2 . 1 Scenerio 

2^2 cryptographic Systems Overview 

221 cryptanalytic Attacks 

222 System Requirements 


Chapter 3 . 


CHAPTER 4. 


Choijter 5. 


3L0CK CIPHERS 

perfect Secrecy 

5*2 Block Ciphers using Symmetric 
Group S^ 

permutation networks 

^ 1 Realisation through Degree Vector 
^2 Realisation through Cyclic Sh; f ts 
/-I Realisation through Selection 

IESIRIOTED-PERMU’*^^®' netooeks 

. ^ Quasi-random Permutations 

- 1 permutation Selection 

* r'r-iteria 


5.2 


5.1.2. 

Quasi- 

Binary 


Permutation Tables with 
Good Correlation Propertie 

random Permutations through 
Sequences of Length 2^ 



ii 






Page 



5.2.1 

Binairy Sequence Correlation... 

35 



5.2.2 

Difference Set Concepts and 
Construction 

37 



5.2.3 

Properties of m-sequences ... 

40 



5.2.4 

Near-ideal 2^ Length 

Sequences . . . 

45 



5.2.5 

Acceptable 2^^ Length 

Sequences ... 

48 



5,2.6 

Generalisation of Results 

61 



5.2.7. 

Emameration of Tables ... 

62 

Chapter 6- 

HARDWARE IMPLEMENTATION 



6.1 

Initial Approach ... 

66 



6.1.1 

Encryption . . * 

66 



6.1.2 

Difficulty in Decryption 

69 



6.1.3 

Solution through Involution... 

71 


6.2 

Final 

Structure and its Capabilities. 

72 



6.2.1 

Block Schematic 

72 



6.2.2 

Permutation Space of the 

Cipher System ... 

73 



6.2.3 

Cryptanalysis of the Final 

Scheme ... 

77 


6.3 

Hardware and its Performance ... 

79 

Chi wter 7 . 

CONCLUSION 




7.1 

Results ... 

88 


7.2 

Scope 

for F..rther Work ... 

88 

Re-'-erences 



f # ♦ 

90 

Appendix A1 

.List of Galois Field Elements and 

Difference Sets 



A.l. 

1 GF(2 




A.l. 

2 GF(2 

®) 




iii 


LIST OF TABLES 


Table 

No. 

Page 

5.1 

(15, 8, 4) -Cyclic Difference Set Generated 
by GF(24) 

41 

5.2 

Partition of Differences ... 

42 

5.3 

Partial Correlation Results of 15 Length 
Sequence ... 

46 

5.4 

Partition of Differences and Correlation 
of 2 4 Length Sequence 

50 

5.5 

( 2"^- 1) -Design ... 

52 

5.6 

4 4 

2 -Design extended from (2 -1) -Design ... 

54 

5.7 

5 

2 -Design through Primitive Polynomial 
p(X) = 1 + X -i- x2 -!- x3 x5 

56 

5.8 

2^-Design through p(X) = 1 + X -i- X^ + X*^ -f X^ 

57 

5.9 

2^-Design through p(X) =:1 + X^+X^ ... 

58 

5.10 

2^-Design through p(X) = 1 + X^ + X^ 

59 

5.11 

2^-Design through p(X) = 1 + X^ + X^ ... 

60 

5.12 

Number of Permutation Tables ... 

64 

6 .1 

Log Table for GF(2^) using p(X) = 1 t X + 

70 

6.2 

^ -Even Permutation . * . 

75 

6.-^' 

Tt -Even Permutation ... 

fi 

76 

6. . 

Read Muller Canonical Boolean Expression ... 

78 



iv 


LIST OF FIGURES 


Fig. No. 



Page 

2'.1 

Privacy Homomorphism 

• * * 

5 

2 .2 

Cryptographic System 

» • ♦ 

9 

3 .1 

Perfect Secrecy 

• ♦ • 

12 

3.2 

A 3 bits Block Cipher 


14 

4.1 

Permutation Network 

• • * 

21 

4.2 

Control Algorithm of Permutation Network 

• » « 

24 

4.3 

Block Cipher by Degree Vector B 

• « • 

24 

4.4 

Block Cipher (minimal Hardware) 
by Degree Vector B 

# » « 

25 

4.5 

Block Cipher by C Vector 

« 

27 

4.6 

Block Cipher by S Vector 

• • 

28 

5.1 

Wire-Crossing Permutation 

« • • 

30 

5.2 

Cyclic Shift System 

« • • 

33 

5.3 

Dyadic Shift System 

m » m 

33 

5.4 

Near-ideal 2^^ Design 

« • • 

55 

5 . b 

•Acceptable' 2^ Design 

« « # 

62 

6.T 

General Sketch of the Cipher 

* # • 

66 

6 . 

Encryption Hardware Schematic 

’ # « • 

68 

6.3 

One Round of Cipher System s Product of 
Two Involutions and 9 

• » • 

73 

6 .‘c 

Final Block Schematic of 'the Cipher 
System 

0 0* 

74 



V 


Fig, 

No. 


Page 

6,5 

Addition Modulo 2 

* « • 

81 

6,6 

GF(2^) Array Multiplier 

* * ^ « 

82 

6.7 

Circuit Schematic 

• 

83 

6.8 

3 2 

GF(2 ) Exponentiator Timing Diagram 

* # • 

84 

6.9 

I/O Timing Diagram 

• « « 

85 

6.10 

Pipeline Operation 

• 

86 



ABSTRACT 


Design of block cipher systems# that are cryptographically 
strong and are easily translated into hardware# is studied. Full 
permutation networks# realising all the symmetric group permu- 
tations are known to have the desired cryptographic strength. 

Three specific methods# i.e. degree vector representation# cyclic 
shift vector representation and selection vector representation 
of permutations# that lead to a mapping of integers in the range 
0 to (N i -1) to specific permutation of are proposed. Imple- 
mentation of these three schemes require excessive hardware. 

Keeping in view the required key space size only# quasi- 
random permutation networks are studied. It is established 
that these could be constructed by the use of 2^ length 'white' 
sequences. Using the tools of cyclic difference sets# it is 
shown that acceptable 2^ length sequences# possessing near-ideal 
properties# are obtainable from (2^-1) length near-ideal sequ- 
ences. Construction procedure of these sequences leads to GF(2^,' 
computation as the cipher transformation. A final scheme, 
cryptographically strong and having enough key space# is shown 
to be achievable using reasonable size hardware. The proposed 
system based on available MSI/LSI chips# is shown to support 
a throughput of 125 k bits for a low-power Schottky TTL version 
and 250 k bits for a Sciiottky TTL version. 



CHAPTER 1 


INTRODUCTION 


Cipher systems protect data in storage as well as during 
transmission over communication neta-forks .[17]^ 9] , Here data 
means any sequence of (0,1) ie.,any binary sequence that represent 
a source of information. The source of information could be 
text, speech, image etc. In case of text the binary sequence 
will be the standard ASCII (American Standard Code for informa- 
tion interchange) representation of the individual characters. 

It represents the digitised form of speech and image. A cipher 
transforms the data into a meaningless one to all but the inten- 
ded receiver, 

1.1 Scope of the Present Work 

This present work is devoted to the study of cipher 
systems that can easily be implemented in hardware. Towards 
this goal, the requirements of a class of ciphers, i.e.. Block 
Ciphers, are established. As the symmetric group S^ of permuta- 
tions provides a good block cipher [l7, pp, 231-233] , an attempt 
is made to realise it in hardware. This is shown to require 
expcnential order hardware and a search is made towards ciphers 
using quasi-random peirrautations out of S^. Making use of 
difference set concepts [25, pp 19-20 ] an efficient hardware 
realisable algorithmic design of cipher systems^ based on (2^-1, 



2 


2^“^) -cyclic difference sets^is arrived at. This is 
converted into a design using existing MSI/LSI ICs and its 
performance in respect of hardware complexity and throughput is 
evaluated, 

1,2 Organisation of the Thesis 

Chapter 2 presents an overview of the need for a cipher 
system and the requirements of the cryptographic system in order 
to sustain the types of possible cryptanalytic attacks. 

Chapter 3 focuses on block cipher systems. The symmetric 
group of permutations is shown to possess all that is required 
of a cipher system. 

Chapter 4 attempts three elegant ways of hardware imple- 
mentation of and the resulting hardware is proved to be far 
too nigh. 

Chapter 5 gives an efficient algorithmic solution to 
realise a restricted-permutation cipher through cyclic diffe- 
rence sets. 

Chapter 6 translates the algorithm into a proposal of 
cipher systems and presents a detailed design of the cipher 
us.T ng available MSI/LSI chips. The performance of the hardware 
ia also evaluated. 

Chapter It the concluding chapter, simmarises the results 



3 


achieved in this work. Certain related areas for further work 
are suggested. Further groundwork in these areas will lead to 
conclusive results on the strength and also the implementation 
aspects of the proposed cipher systems. 



CHAPTER 2 


CRYPTOGRAPHIC SYSTEMS 


In t-his chapter we briefly review the need for the cry- 
ptographic systems in the context of computer communication 
networks and also the requirements that are to be met by these 
systems. Section 2.1 presents a vivid picture of the threat 
to secrecy and section 2.2 formulates the requirements of the 
system and the kind of cryptanaly ti c attacks the system will 
be subjected to, in the actual environment of its use. 

2.1 Scenario 

Era of computer network is about to usher in India. The 
IiroONET project is being vigorously pursued by the Computer 
Maintenance Corporation, which envisages pooling of all compu- 
ting resources through a nationwide digital Network. Simultane- 
ously an Integrated Switching and Digital network (ISDN) is 
being planned by Department of Education, to interconnect the 
computers of IITs and IISc through satellite link. Given such 
a network lot of information flow is going to take place and 
also a lot of information is going to be processed and stored 
at .lodes of this network. Digital data transmitted on links and 
stored information are vulnerable toceivesdropping, without actua 
physical intrusion, through the very same network. As the data 
is in machine readable form, it is an easy job to routinely 


5 


monitor the traffic and to record and analyse, the ones in which 
the eavesdropper is interested, by the use of inexpensive hard- 
ware. Hence it becomes imperative to solve this threat and to 
put to good use the network resource. 

As of now cryptography appears to provide the only practi- 
cal method of protecting data. While it does not guarantee 
absolute security, it makes it more costly and risky to penetr- 
ate systems to obtain data in storage or during transmission 
[ 9] ,[ 17] . However, if data is to be protected while it is being 
processed, secrecy can be achieved only through privacy homomor- 
phism [ 22] . The basic idea here is that encrypted data, after 
processing, should be the same as if the data were first deci- 
phered, processed in plaintext and finally reenciphered (Pig. 2 . 1 ). 



Fig. 2.1 Privacy Homomorphism 









6 


Though Privacy Homomorphisms offer the ultimate in data protec- 
tion, it is not known whether it is possible to have a secure 
privacy homomorphism with a large number of operations [7, pp. 
157-158 ] ,[22 ]. 

2.2 Cryptographic Systems Ovejrview 

Cryptography is the technique of protecting data. A 
cipher is a particular method of achieving secrecy and it pro- 
tects data by transforming data from a usable and comprehensible 
'plaintext' (message) form to a scrambled and incomprehensible 
'ciphertext' (sometimes called cryptogram) form, from which the 
plaintext can only be recovered by use of a secret 'key'. The 
process of transforming plaintext into ciphertext is called 
'encryption', the reverse process of transforming ciphertext 
into plaintext is called 'decryption*. Both encryption and 
decryption are controlled by cryptographic keys. The mechanism 
which performs these transformations, ie,, encryption and decryp- 
tion, is known as a cryptographic system. 

2.2.1 Cryptanalytic Attacks 

Cryptanalysis is the science and study of methods of 
breaking ciphers [ ^ , [ 9 ] . Cryptanalysis uses tools of probability 
theory and statistics, linear algebra, abstract algebra (group 
theory) and complexity theory, A cipher is 'breakable' if it is 
possible to determine the plaintext or key from the ciphertext, 
or to determine key from plaintext-ciphertext pairs. There are 



two fundamentally different ways in which cryptographic systems 
may be secTxre. In some systems, the amount of information avai- 
lable to the cryptanalyst is actually insufficient to break the 
system, no matter how much computing power the cryptanalyst has 
at his disposal. A system of this kind is called 'unconditio- 
nally secure ' . Even when the intercepted material contains suffi 
cient information to allow a unique solution to the cryptanalytic 
problem, there is no guarantee that this solution can be found 
by a cryptanalyst with limited computational resources. It then 
becomes the goal of the designer of a cryptographic system to 
make encryption and decryption inexpensive, while ensuring that 
any mccessful cryptanalytic operation would be too complex to 
be economical. What is required is that the task of the crypt- 
analyst, though known to be achievable with a finite amount of 
comr>atation, is so overwhelming as to exhaust the physical compu- 
ting resources. We will call a task of this magnitude ' computa- 
tioi’ally infeasible' and the associated cryptographic system 
' computationally secure ' . 

There are three basic methods of attack j cipher-text only 
kncwii-plaintext, and chosen-plaintext. In all cases it is 
ass ’med that the opponent knows the general system in use since 
this information can be obtained by studying a cryptographic 
devcce. Usually the worst circumstaice from the point of view 
of cryptanalyst is to have nothing available to him brt the 



1 


8 


material he has intercepted and some knowledge of his opponent's 
messages. This may be limited to a knowledge of statistical 
properties of the language in use and a knowledge of certain 
probable words. This is the weakest threat to which a system is 
normally subjected, and any system which succumbs to it must be 
considered completely '.insecure. It is called a ' cipherte.xt 
only attack ' . 

Many secret messages sent for business purposes, press 
releases and product announcements, for example, are intended for 
subsequent public release. Hence a cryptanalyst often knows 
substantial amounts of corresponding plaintext and ciphertext, 
mak; ng it possible a 'known-plaintext attack*. While a known 
pi a.' n text attack is not always possible, its occurrence is 
frequent enough that a system that succimbs to it is not consi- 
dered secure. 

The cryptanalyst is sometimes in the even stronger posi- 
tica of being able to see the ciphertext corresponding to any 
ple'.ntext he chooses. His problem is to determine the key for 
la-f ^r use in enchipering or deciphering other messages. This 
is 'chosen-plaintext attack*. For the purposes of certifying 
sy. terns as secure, it is appropriate to consider more formidd- 
ab.s cryptanalytic threats, as these not only give more realistic 
moc'els of the working environment ot a cryptographic system, but 
also make the assessment of the system's s-trength easier. 



9 


2.2.2 Sys tern Requirements 

A cryptographic system has the following components 
[?/ pp. 7-8] a plaintext message space (m) , a ciphertext message 
space (c), a key space (k) , a family of enciphering transformations 
(Ej^ s m > c where K^k), a family of deciphering transforma- 

tions (Dj^ i c — — > m, where K C. k) . Each encryption is defined 
by an encryption algorithm E^ which is common to every transfor- 
mation in the family/ and a key Kj which distinguishes it from 
the other transformations. Similarly/ each decryption D is 
defined by a decryption algorithm D and a key K. For a given K, 
is the inverse of ; that is Dj^(E^(M)) = M for every plain- 
tej'c message M. See Fig. (2.2) 


Insecure 



Plaintext 


Fig. 2.2 Cryptographic System 




10 


There are specific requirements imposed on the cryptog- 
raphic system to meet the secrecy aspects and also certain general 
requirements to meet its operational role in a network. These are 

-It should be computationally infeasible for a cryptanalyst 
to systematically determine the deciphering transformation 
even under the worst attack. 

-It should be computationally infeasible for a cryptanalyst 
to systematically determine plaintext M from the inter- 
cepted ciphertext C. 

-The security of the system should depend only on the sec- 
recy of the keys and not on the secrecy of the algorithms 
E or D. The key space should be very large to prevent 
systematic key trial. 

—It must be easy to use, less costly and should not degrade 
the network performance (speed, error etc) - The transfor- 
mations must be efficient and in general should not expand 
the massage length. An increase in length of text under 
encryption would unnecessarily complicate storage requi- 
rements and will reduce the effective rate of data trans- 
mission over communication links. 



CHAPTER 3 


BLOCK CIPHERS 


In this chapter we focus our study on a class of ciphers 
called Block cipher. Section 3,1 postulates the 'perfect secrecy' 
requirement of such a cipher. Section 3.2 establishes that the 
symmetric group of all permutations is a good block cipher, 

3.1 Perfect Secrecy 

Based on information theoretic properties of cryptographic 
systems Shannon [23] has proposed a theoretically secure system 
[ 7, p. 22] . The three classes of information in a cryptographic 
system are plaintext messages M occuring with probabilities 
p(M) ( ^ p(M) = 1), ciphertext messages C occuring with proba- 
bili.ties p(C) { ^ p(C) =1)/ keys K chosen with probabilities 
p(K) where ^ p(K) =1, 'Perfect secrecy' is defined by the 
cordition p(M/C) = p(M), where p(M/C) is the probability that 
message M was sent given that C was received^ that is, intercep- 
ting the ciphertext gives a cryptanalyst no additional information. 
If p(C/M) is the conditional probability of receiving C given 
that M was sent, then p(C/M) is the sum of the probabilities 

p(k) of the keys K that encipher M as C ie*p(C/M) = ^ p(K) . 

(Ej^(M)=C) 

Usiially there is atmost one key K such that = C for given 



12 


M and but some ciphers can transform the same plaintext into 
the same ciphertext under different keys. A necessary & suffi- 
cient conditon for perfect secrecy is that for every piC/M.) 
p(C) for all M. This means the probability of receiving a parti 
cular ciphertext C given that M was sent (enciphered under some 
key) is the same as the probability of receiving C given that 
some other message M was sent (enciphered under a different 
key) . Perfect secrecy is possible using completely random keys 
at least as long as the messages they encipher. Fig. (3.1) 
illustrates a perfect secrecy system with four messages, all 
equally likely, and four keys, also equally likely. Here p(M/C) 
p(M) = 1/4 and p(C/M) = p(C) = 1/4 for all M and C. A cryptana- 
lyst intercepting one of the ciphertext messages C^, C 2 , or 
would have no way of determining which of the four keys was 
used and, therefore, whether the correct message is M 2 , 
or 14^. 



Fig. 3.1 Perfect Secrecy 



13 


Perfect secrecy requires that the niimber of keys must be 
at least as great as the mjimber of possible messages. Otherwise 
there would be some message M such that for a given C, no K 
deciphers C into M> implying p(M/C) =0. The cryptanalyst could 
thereby eliminate possible plaintext messages from consideration, 
increasing the chances of breaking the cipher. 

3.2 Block Ciphers using Symmetric Group 

A block cipher is a cryptographic system which divides 
the plaintext into separate blocks, usually of same size, and 
operates on each independently to produce a sequence of cipher- 
text blocks. The most general possible block cipher is one 
which can transform any possible plaintext block into any possible 
ciphertext block as along as the overall transformation is rever- 
sible. This most naturally fits in the 'Perfect Secrecy' model 
explained earlier. 

Let an n-block be a sequence of (0,1) of length n. 

X = (X^, X. ...X^ .), x.^(0,l) 

o 1 n— 1 X ^ 

X can be interpretted as a vector of length n, as well as 
the binary representation of the integer 0^1! x 1 1 <_ N-1 
where N = 2 ’^. A mapping f 2 can be represented by the 

two line notation 

j'''l , 2 ... N \ 

\il' i2**' 


/ 



crp 


14 


where the first line lists the elements in natural order and 
the second line lists the permuted order iie,/the images of the 
elements under the mapping. In a general map the each image can 
take any one of the values 1 to N and hence there are total 
maps. Out of these only the n] permutation maps are reversible 
i£V/they are bijective maps. Here the images i^,i 2 «..ij^ take on 
distinct values from 1 to N. These reversible mappings could be 
chosen as the cryptographic transformation. Hence an element 
of the symmetric group (S^) of permutation could be chosen as 
the transformation. Even for moderate n = 16, the space of the 

s 

transformations works out to a staggering figure of 2^*^ (one 
million bits). See Fig, 3.2 for a 3 bit block cipher. 



Using an element of a keyed bloc), cipher could be realised 
Ussr i and user j agree in some manner upon a key K in and 




15 


transmit plaintext X enciphered by the permutation chosen ie 
C = Ej^{X) . At the receiver the inverse permutation is performed 
to get the plaintext X = D (c) . 

XX 

The block cipher using fares very well in respect of 
all the three types of attack. 

1* Ciphertext only attack z If reasonable length n is 
chosen as block length then it is very difficult to attempt 
ciphertext only attack as the side information such as frequence 
of occurrence & most probable word table etc is very difficult 
to generate on a size of N = 2 , The size becomes 1.8 x 10 
even for n = 64. The key space of (2^^) \ makes key trial 
absolutely impractical. 

2. Known plaintext attack s An opponent who learns the 
correspondence between some sxibset of plaintext and ciphertext 
X.< — > C., 0 < i< m can not on the basis of information alone 
find the plaintext corresponding to y (y^^) . This still leaves 
(N- n) I of N i permutations in satisfying the equations Ej^(X^) = 

0 <_ i < m. In order to unrquely fix K one riaeds to know the 
cryptograms of almost all the N = 2^ members of the set. If 
the message symbols are equally likely then a staggering sequence 
of symbols are to be collect'^d before one can sxpect all symbols 
to occxir in the sequence. 

In an experiment of drawing objects X^....X^/ each with 
probability of occurrence p(X^) = 1/N, one by one with replacement, 



16 


the expected length of sequence to contain all X^s atleast once 
can be found out as given below. Let N 4 - z be the trial at 
which all N objects occur at least once for the first time ie. ^ 
in N+z-1 trials we have only N-1 objects occurring at least once 
and at N4-z^ trial n object occurs. 

If we denote the occurrence of any distinct symbol for 
the first time by 1 and repetitions of previously occuring symbols 
by 0 then we have 

Length = N+z-1 ^ No. of ones = N-1 


r 




101 . .. 


, . .01 
J 


total length N+z 

No. of ways of having (N-1) ones in a length of N+z-1 

/ N+Z— 1 \ 

“ ^ N-1 ’ 

Probability of having (N-1) ones in a length of (N+z-1) 

( N+z-1 X Iv2 1 

" ^ N-1 ^ „N-1 

N 

where (l- -^) is probability of z failures 
and -" --tr is the probability cf N-1 successes. 

The probability of the experiment stopping at N+z 

/ N+Z— 1 \ /i ^ ^ ^ ^ 

= N-1 ^ * jjN-1 * N 

where ^ is the probability of a success at the last draw. 

P(Z=z) = ( ^N-1^ ^ ’ 



17 


oo 

It can be verified that ^ P(Z= 2 ) = 1 

2=0 


Lo 


y /N-i*2— 1 \ ^2 N -u ^ ^ i 1 

1=0 ^ W~1 ^ ^ ® ^ ^ ’ N 


and s = 


N 


^ N 2 , N-rZ-l . ^2 

z=0 N-1 


= ( l ~ f)“N 

= 1 


by binomial series expansion 
o£(l-f) 


Now the expected number of trials 

OD 

1=0 


E(Z) 


= 2 . )(i - I ' 


N-l 


N 


N' 


N 


(N-DN^, Z( ) i (1 - i) 


1^2-l 


~ fKT (N+2~l)i 1 /- 

- (N-l)N (n-1) [ 2 [ N N^ 


N 

l^z-l 1 


N-l-l 


N+1 


N 


fTT 1 'I H (z— 1) — 1 ) - /- 1\Z~*1 1 

(N-l)N (1 - -) -_ 


N 


OO 

(n-i)n 2 (^+y:^)(i - 1 )y ( i 

VIN x;iN V J\X ^ J V ^ 


by letting M = N-t-1 Sc y - z-1. 


= (N--l)N. 

Heijce the total length of the experiraent is likely to be 
N -1- (N-l)N = N^. 


This would mean on the average a cryptanalyst has to 



18 


2 

collect N cryptograms. For n = 64 this works out to a stagge- 

38 • 

ring figure of >£> 4x10 . Hence the cipher system is safe against 

known-plaintext attack, 

3 * Chosen-plaintext attack s Even here the cryptanalyst 
cannot hope to plant a message of length N, 

So from all types of attack the block cipher using symme- 
tric permutation group is secure. 



CHAPTER 4 


PERMUTATION NETWORKS 


Since the realisation of S^ provides a good cryptographic 
system, it will be nice if we can arrive at a hardware that can 
realise S^^. In this chapter, we describe in detail three elegant 
full pemutation networks. Section 4.1 deals with realisation 
through degree vector representation of permutation. Section 
4-2 presents cyclic shift vector realisation and finally section 
4.3 gives an implementation of full permutation by selection of 
elements. In all these methods the complexity of hardware req- 
uired is far too high. 

For the purposes of a block cipher, it will be nice if 
all the permutations of S^^ could be ordered in some way. After 
this any permutation in the set could be selected by specifying 
a random number within the range of 0 to (Nt —1). If there 
exists a mapping which can be carried out algoi ithimically, then 
hardware realisation will be easier. We will look at possible 
implementations. Any permutation is specified by number x^ 

0 < X < (Nl -1) and this number is converted into a mixed radix 
digi t system which uniquely specifies the position of permutation 
in the given ordering, in these implementations. 




20 


4.1 Realisation through Degree Vector B. 

From any permutation ' * *^N-1 derive 

N permutations of by first placing N on the immediate right 
of aj^ ^ and then letting it step over turn 

[l3, pp. 332-338]. 


^2 * * 

* ®N-2 

^N-1 

^1 ^2 * * 

* ^N-2 

^N-1 

Vl ®2* 

* *^N-2 

^-1 


Starting from the unique permutation 
1 of S^, we get 
12 

21 the two permutations of S 2 . Talcing each of these in tuJ.n 
we get 123 
132 
312 
213 
231 

321 the six permutations of S^. Proceeding in this 
maiiiier, talcing each permutation in turn, we can derive from the 
(N-d)* permutation of all the N ’.permutations of 

The network in Fig. 4.1 is capable of realising closely 
following the same way of generating permutations. 



21 


1 2 3 . * N— 1 St:3g0 

I ! j nos. 



Control = 0 Control = 1 


Fig. 4.1 Permutation Network 


Stage 1 can produce S 2 / stage 2 can insert a^ in all three 
positions of S 2 creating S^. For each of (N-1)*, permutations 
obtained at (N-2)^^ stage, (N-1)^^ stage can insert a^^ in all 
N positions of ^ creating However the hardware requires 

a total of switching elements. 


In a permuted version of elements aj^a 2 . - . .a^^ let b. 
be the number of a's which are < K and are on its right side. 


Then the permutation is uniquely specified by its degree vector 
B = B [1,2 ,...n] = [b^b 2 . . .bj^. . .bj^ , 0 £ K-1. Degree vector 

representation gives a unique ordering of the permutations. 


Example s 


Position 

Permutation 

B vector 

0 

123 

000 

1 

132 

001 

2 

312 

002 

3 

213 

010 

4 

231 

Oil 

5 

321 

012 



22 


The position of a given permutation in the ordering can be 
obtained from the degree vector B, 

Elements : 1 2 3 4 . . , N 



We start with m^^^ = b^^ =» 0, and then calculate the values of the 
other m‘s from the formula 

= K ^ ~ 2,3,...N. 

In the algorithm/ m^ gives the position of permutations in the 
ordering. 

Therefore = b^^ '' 2 + ...+n 1 b^ 

N 

= Ni|^jb^/K!. 

The justification for the algorithm is provided by the fact that 
the given permutation arises from a permutation of ^ obtai- 
nable from the given permutation by the deletion of N, If this 
permutation had as its position in its own set/ then the 

given permutation position is given by + b^^ in the derived 

set, (eg) position of 3521746 in 

b[ l,2/3/4/5,6/7] = [0120302] 

Elements ! 1 2 3 4 5 6 "7 

B ;0120302 


m' s 


0 1 5 20 103 618 4328 



23 


The given permutation is 4328th in the set of 71 permutations 
of Srj. The position m^ of the permutation follows the mixed 
radix representation 

N I b 

m^ = Nl -I- — ^ + N(N-l)b^__2 + Nb^_^ + b^ 

The digit weights are given by w. = -rf — and 0 < b^ < K-1. 

The radices are m^ = l, m 2 = 2^ ... m^=i . . .mj^=N . 

til. 

(eg) Let us find out the degree vector B of 4328^ permutation, 

4328 = 0 t(l X ~)+{2 X ~|-)+(0 x ^)+(3 x X|>)-r (O x Jf )+ (2 x ~) 

Z ^ O? 4} Dl Oft 

• » * ♦ • 

i^.,B = [0120302] 

Thus any number x {0<_x£Nl-l) can be converted to a 
unique degree vector. Degree vector representation leads tea very 
simple control algorithm to set up the permutation network. The 
b„s of the degree vector indicates where the element K is to be 
inserted. At stage K switch off (K-b^) from top & switch on 
remaining b^, switches from bottom. See Fig. 4.2 

The inverse permutation can be carried out by tracing the 
network in the reverse direction, using the same algorithm, ie., 
from output to input, 

A block cipher realised using this type of permutation 
ne Lwork is given below in Fig. 4.3, 



24 


B — <^0 1 


0 


2 Stage nos, 


Input 


2 

3 

4 

5 . 

6 
7 


Stage 

outputs 


2 

1 

3 

4 

5 

6 
7 


3 
2 
1 

4 

5 

6 
7 


3 
2 
1 

4 

5 

6 
7 


3 

5 
2 
1 

4 

6 
7 


3 

5 
2 
1 

4 

6 
7 


3 

5 
2 
1 
7 

4 

6 


5 
2 

1 

7 

4 

6 


output 


Fig. 4.2. Control Algorithm of Permutation Network 


X 

o 


X 


n 



c 


o 


c 

n 


Fig. 4,3 


Block Cipher by Degree Vector E 





25 


In the block cipher realised above the permutation network can 
be set up in one step^ however, it requires hardware proportional 
■to At the expense of delay we can realise the same using 

a hardware which is proportional to N, taking N steps to obtain 
the required permutation, A block cipher realised in this way 
is shown below in Pig. 4.4, 



Fig. 4.4 Block Cipher (minimal hardware) by Degree Vector B 


4.2. Realisation through Cyclic Shifts 

Prom any permutation of a^a 2 a 2 . . of one can 

deri'^'e H permutations of by first placing^N on the immediate 
right of and then taking cyclic shifts of the elements. 

Initial order (O shift) a^ a 2 a^. . . 


1 shift 


^2 ^3 ' * * ® N -1 ^1 


• ^N-1 


(N- ' ) shifts 


^ • • 







26 


Starting from the unique permutation 
1 of we get 
12 

21 the two permutations of S^, taking each of these in turn 
we get 123 
231 
312 
213 
132 

321 the six permutations of S^. Proceeding in this 
mannr c taking each permutation in turn, we can derive from the 
(N-1' I permutations of all t.he N’ permutations of Then 

any jjermutation of can be uniquely represented by a cyclic 
shift: vector C = [ C^C 2 . . . .C^^] 

0 < < K-1. The ordering according to cyclic shift 

vector is as follows. 


Position 

Permutation 

C vector 

0 

123 

000 

1 

231 

001 

2 

312 

002 

3 

213 

010 

4 

132 

oil 

5 

321 

012 


Any number x can be uniquely converted into a 

C ^'octor using mixed radix number system as described earlier. 



27 


A network can also be built which realises Sj^ using the C vector 
Fig, 4.5 


Plaintext 



Fig. 4,5 Block Cipher by C Vector 


4.3 Realisation through Selection 

Following the definition of permutation/ a permutation in 
can be realised through a series of selection process for the 
elements in the successive positions^ j.e,,first element could be 
selected from among all the N elements/ the next can be selected 
from the remaining N-1 elemei ts and so on. He ace the permuta- 
tion can be uniquely specified by a mixed radix number 
S =■• ] . 

Wi-f ’. digit weights ^ and 0 < ^ K-l„ 

This process can be mechanised through the following network 
(Fig. 4.6.) 





28 



Fig. 4.6 Block Cipher by S Vector 

The realisation of full permutation network requires a 
hardware complexity of the order of N=2^. as seen from the above 
implementations. 







CHAPTER 5 


RESTRICTED-PERMUTATION NETWORKS 

A keyed block cipher system, with a large enough block 
size n and capable of performing a random permutation from 
is effectively unbreakable due to impractical computationa' 
requirements of cryptanalysis. However we found that the hard- 
ware requirements to implement S^^ is also too high. Added to 
this the length of binary digits required to specify the chosen 
random permutation is also far too high even for reasonable 
bloclc lengths 'n‘ ie.,log 2 (N l)^(N-l) .n bits, where N=2^. 

A minimum key space of 2^ provides perfect secrecy and hence a 
less complex hardware configuration, which is capable of support 
ting a large enough (>2^) permutations out of will meet the 
requirements of the block cipher. 

In this chapter we deal with methods of constructing 
restricted-permutation networks. Section 5.1 establishes the 
selection criteria (section 5.1,1) for the restricted permutatio 
and the possibility of a compact construction through a good 
correlation single permutation table (section £.1.2), Section 5. 
translates the problem into that of constructing 2^ length 'whit' 
sequences and finds ways of constructing such sequences. Section 
5,2.1 and 5.2.2 introduce concepts of binary sequence correla- 
tion and difference sets respectively, Sectibn 5.2.3 reviews 



30 


the m-sequence properties. Section 5.2.4 postulates the theore- 
tically obtainable near-ideal 2^ length sequence. Section 5.2.5 
offers an 'acceptable* 2^ length sequences design through exten- 
sion of 2^1.1 length sequences. After generalising the results 
in section 5.2.6/ the enxameration of the number of permutation 
tables is given in section 5,2.7. 

5.1 Quasi -random Permutations 

5.1.1 Permutation Selection Criteria, 

We could choose a fixed set of say M permutations in 
advance gnd store them. When a permutation is called for, we 
pick a number i at random between 1 and M and supply the i-th 
permutation. This may be called a quasi-random method [24] and 
has certain advantages over the truly random methods of choosin'' 
a permutation from With this algorithm one can weed out 

those permutations which do a poor job of scrambling or those 
which do not require great cryptanalytic effor+.. The wire- 
crossing permutation {see Fig. 5.1) is very we-ik from cryptana- 
lytic point of view. 



Pig, 5,1 Wire-Crossing Permutation 



31 


Wire crossing permutations are completely specified by a permu- 
tation matrix of size nxn and can be cracked if solution for 
the 'n* independent basis vectors are known. Whereas a block 
cipher substitution is specified by 2^x2^ permutation matrix^ 
requiring solution for 2^ vectors. Wire crossing permutations 
account for nl permutations of Even those permutation"? 

which are linear and affine provide a weak cipher. They c ;n 
be specified by again a (0,1) matrix of size nxn. Linear permu 
tations are of the form C = Ax, A- nxn binary matrix. Affine 
permutations are of the form C '= Ax + B where B is a n bit 
binary vector. The rows of A must be independent for reveirsi- 
bility, thus 

row 1 of A may be closem from 2^-29 values 

row 2 of A may be chosen from 2 -2'*’ values 

ri 2 

row 3 of A may be chosen from 2-2 values 
and so on until 

row n of A may be chosen from 2^-2^~^ values 

iewthe 1st row must be non zero, the 2nd must be non zero and 
distinct from 1st, the 3rd must be non zero and not any of the 
4 linear functions of earlier ones and so on. Also B may be 
chosen in 2^^ ways. Hence there are a total of 2’^(2^-2*^) (2’^-2^) 

. . . . (2^-2’^“^) nonsingular linear and affine trc.nsfcrmations [ 12] . 
Cryytanalytic effort required to crack these require solutions 
for 'n' independent basis vectors only. In a truly random 



32 


selection of permutation from there is always a chance, 
however small, that these poor permutation will be produc^'d. 

In quasi— random method these can be entirely 'avoided, 

5.1,2 Permutation Tables with Good Correlation Properties 

Random permutation tables can be constructed by pe: for- 
ming an experiment in which each member is chosen randomly 
one after the other without replacement, from an urn containing 
all the members. Whether the resultant permutation is random 
or whether the experiment was fair can be evaluated by statisti- 
cal methods. For example run test which measures statistic of 
leng-th of monotone subsequences ie„’runs up’ segments that ’are 
increasing or 'runs down* segments "that are decreasing or seiial 
correlation test which measures the amount of dependance of 

U . , on U . in sequence U U- , , ,U . . . .U„ - . However -the number 
jtK j o 1 j N— 1 

of such tables required for a block cipher is very large and 
each permutation table requires a storage of nx2^ bits. This 
is impractical from implementation point of vif-w. 

The requirement for the' large number o"^ tables could 
be reduced if we could locate a set of permuta-t ion tables whose 
shifted versions could also be used ie*,either cyclic shifts or 
dyadic shifts. To meet this irequireraent the sequence of each 
table should possess good randomness property tor ell its shifts 
Suppose we could locate one random i ermutation table of length N, 
which has good correlation property for all N shifts, then wo 



33 


can use that single table with a key space which gives all its 
shifts. See Pig. 5,2 

Key 



Fig. 5,2 Cyclic Shift System 


Same way# if a permutation table could be constructed which has 
good correlation property for all its dyadic shift then key 
('n’ bits wide) could be Ex-OR mixed with plaintext ('n' bits 
wide). See Fig. 5.3 



Botli addition mod N and Ex -OR networks require hardware which 
is linear with the size of the binary words theit are mixed. 

Ho^i'.ever permutation table sf 11 requires a storage of nx2^ bits. 

However if these good permutation tables cor Id be obtai- 
ned algorithmically using a hardwarr of polynomial complexity th^ i 







34 


we can use them for the block cipher. Over and above this, if 
iterations of these basic structure generate the whole gr''’up or 
a major portion of then this provides a very good, hardware 
realisable design of a block cipher, 

5.2 Quasi-random Permutations through Binary Sequences of 
length 2^ 

It is possible to construct quasi-random permutation tables 
using binary sequence of length 2’^. 

(eg) Plaintext Permuted output 


Binary 

Decimal 

Binary 

Decimal 

000 

0 

000 

0 

001 

1 

100 

4 

010 

2 

010 

2 

Oil 

3 

001 

1 

100 

4 

101 

5 

101 

5 

111 

7 

110 

6 

110 

6 

111 

7 

Oil 

3 


Each column of the permuted c tput (binary) is a 2 ^ length 
binary sequence. To qualify for a permutation -.-.able the binary 
sequence columns should posses the following properties. 

. There should be equal number of ones and zeros in the 
sequence 

. There should be equal numbe" of matches and mismatches 
of symbols between any two column constituting the ta.b.''e 



35 


Hence a good method to construct quasi- random tables is to 
construct 2^^ length binary sequences meeting the above require- 
ments and which are random like & white. If we construct with 
sequences having good auto correlation, either dyadic or cyclic, 
then we can use the corresponding shifts as keys as v/ell. 

Binary sequences of length 2^-1, possessing two level 
near-ideal auto correlation properties, have been well studied 
in literature [ 19]. Pseudo random binary sequences (PRBS) or 
the maximal length sequences (m-sequences) are well known in 
communication. In statistics design of experiments widely use 
symmetric designs with parameters {v,k,X). Symmetric design 
with parameters (2-1, 2”“ , 2”“* ) are the same as m-sequences, 

5.2.1 Binary Sequence Correlation 

Correlation between any two f0,l3 binary sequences 
l^b^l of length N is defined as 

tj ( Total Number of \ ^ Tota] number of v 

^ab' ~ > symbol agreements'^ ~ symbcj disagreements ^ 

where k = 0,1... N-1. The va] ue of k specifies the amount of 
cyclic/dyadic shift of the original sequence and k=0 implies 
original sequence. If the -[0,1} sequence is converted into a 
+1 sequence by the relation correlation can 

be formulated as 

^n ^n©k 



36 


When we use arithmetic subtraction modulo N for n©k then we 
get cyclic correlation i.e., n~]c and -^b^}- and -^b^ are given 
by 

' VA-"‘’n -fVki = Vk+l-*-*’m-k- ” 


Ex-OR addition of binary representation of n & k i.e., n@>-. 
then we get dyadic correlation between the sequences. Dya^Iic 
correlation is defined only for sequences of length a power of 
2. On similar lines the auto correlation function for various 
values of shifts k of a sequence a^^ can be defined as 

N 

= nil ^n®r>ek 


Let ^Sj^lbe a -£0,1^ N length sequence with m ones. Leu 
£a^_ki' be the same sequence after a shift of k with n-k taken 
modulo N. Let A be the number of places in which £a^J and 
£a^_k} have one in common i.e,. 


If {an} = 



^o^l***^i***^n 
®k®l+k* • '^l-!-k' • *®n+k 


then a^^ = 1 exactly a values of 

The arrangement of ones and zero of {a^^l and 


i, 0 < i < N-1 

Xa ,1 is as follows 
^ n— K** 


{Snl 1...1 1...1 0...0 0.,.0 

■ t ^ n -- k ^ 1...1 0...0 1...1 0 » ..0 

' m-X m~A N-A-2(m-X) 


Then the auto correlation function is given by 



37 


R (k) = ( nximber of places v / Total number of p3 a 

~ where symbols match ^ ^ ces where symbols 

mismatch 

= (A -i-N— A— 2 (m~A) ) — ( 2 (m— X) ) 

= N-4m-!-4X 

For any sequence -Ca^} of length N, R (0) = N (i.e., k=0 the zero 

^ n a 

shift correlation) . The auto correlation function R (k) k / 0 
will be a constant, if we could construct sequence for which , 
the number of places of common ones between ■t®n-kk 

is fixed for all values of k, k 7 ^ 0. In such a construction 
we get a binary sequence of length N with m ones and have two 
level auto correlation. If R (k) for k / 0 has a value zero or 

B 

close to zero then we get a good correlation sequence that 'looks' 
white. A noise like white sequence will have a very high 
(k= 0 ) correlation and zero out of phase correlation (k ^ 0 ) . 

5.2.2 Difference Set Concepts and Construction 

The concept of difference set helps us In constructing 
a good correlation sequences and also in analyfing its proper- 
ties [ 25 , pp. 19-20 3 . 

Definition 5.1; A set of m residues D = (a^...a^) modulo 
N is called a (N,m/A) -difference set if among the collection of 

eleuents[ a- -a. s i j/ 1 1 i/ J < all the non-zero residues 

^ 3 

occur X times. 

Definition 5.2; The incidence matrix A = of ^ 

(N,m,X) -difference set is defined as a NxN matrix wit>i. elements 



38 


1 if aj - D 

0 if aj . a. ^ 

Lemma 5,1: In a (N,m, A) -difference set the m(m-l) diffe- 
rences get partitioned into (N— 1) groups, each having X differen- 
ces . 

so (N-1) X = m(m-l) 

Example : 

(7,4,2) difference set 
D = (2, 4, 5,6) 

1 - (5-4) (6-5) 

2- (4-2) (6-4) 

3 - (5-2) (2-6) 

4 - (6-2) (2-5) 

5 - (2-4) (4-6) 

6 - (4-5) (5-6) 

Henre each non zero member is expressed as difference in exactly 
two ways. 

Incidence matrix A = ^^ij^ 

i\j 0 1 2 3 4 5 6 

010 0 1 0 1 1 1 
1 1001011 
21100101 
A= 3 1110010 

4 0111001 

5 lOlllOO 

6 0101110 




39 


Each row of the incidence matrix is a cyclic shifted version of 
another row. Between any two of the rows the number of ones 
coincide only in 2 (X) places and hence the (7,4,2) construction 
yields a binary sequence with two level auto correlation 

function R (0) =7 and R (k) = ~1 for k 0. 

It is possible to construct (N,m,^) - difference set with 
N = 2 -1, m = 2 , A = 2 for any value of n, as Lemma 5.1 

is satisfied i.e., (N-1) X = m(m-l) 

(2^-2) .2’^"^ = 2^“^(2’^“^ - 1) 

If such a difference is constructed then we can obtain a 

sequence of length 2^1 1, having 2^^”^ ones at locations specified 

by the difference set D and each non zero member (l..,(2^-2)) 

can be expressed exactly in 2^'*^ ways. Such a sequence will 

have a near-ideal correlation property of R (0) - 2’^-l for k=0 

i.e*/ zero shift and R (k) = N-4mt4 

a 

for shifts k = 1, 2, , . . (2^-2 ) . , One particular method of construc- 
tioii, known as linger difference set construction [l5,pp. 416-421 ], 
exi::ts for a design of (2’^-l, 2^~^, 2^"“^) . The method generates 
th' difference set via Galois Field GF(2^) . Galois field GF(2^) 
car* be constructed based on primitive polynomial of degree n. 

The 2^ elements of the field can be expressed as a polynomial 
of degree <_ n-1 in a , the root of the primitive polymomial of 



40 


degree n over G'F{2) ^ . Hence all these elements could be repre- 
sented by n binary digits, the digits representing the coeffi- 
cients of the polynomial representation of the field elements. 
Each column of these binary digits, leaving the all zero ele- 
ment, give the difference set. The column of |0,l} gives the 
(2^-1) length sequence and the positions of ones in the sequence 
give the difference set. See Table 5.1 for example. 

5.2.3 Properties of m-sequences 

The binary sequences of length (2^-1) constructed by the 
abovt- method are called maximal length Pseudo random binary 
sequences (m-sequences) and they possess the following random- 
ness properties. [ 14,p,336 ] 

Balance property : 

In every sequence the number of ones does not differ from 
the number of zeros by more than 1. 


Run length property : 

For every sequence, half the runs (runs of all ones or al3 
zeros) have length 1, one fourth have length 2.. one-eight have 
length 3 etc. as long as the number of runs equals or exceeds 1. 


Correlation Property 


The correlation R_ (h) 

O 


a 


j 

I 




is binary valued 

k = 0 
k 0 



41 


Table 5.1 (l5,a/4)-Cyclic Difference Set Generated by GF(2^) . 
Irteducible polynomial p(X) = 1-fX+X^ 

Power Representation Polynomial Representation 4 tuple 

Representation 


0 

0 

0 

0 

0 

0 

o 

a 

1 

1 

0 

0 

0 


a 

0 

1 

0 

0 

2 

a 

2 

a 

0 

0 

1 

0 

3 

a 

3 

a 

0 

0 

0 

1 

4 

a 

1-!- a 

1 

1 

0 

0 

aS 

^ 2 
a + a 

0 

1 

1 

0 

6 

a 

a^'rO.^ 

0 

0 

1 

1 

7 

a 

1 :-a 

1 

1 

0 

1 

8 

a 

1 a-ha^ 

1 

0 

1 

0 

9 

a 

« 3 

« -hx 

0 

1 

0 

1 

10 

a 

1-ia i-a^ 

1 

1 

1 

0 

11 

a 

a-i-a^ !-a^ 

0 

1 

1 

1 

a 

l-:-a-!- o?-!-a^ 

1 

1 

1 

1 

13 

a 

1 C^r 0? 

1 

0 

1 

1 

14 

a 

1 -HX^ 

1 

1 

0 

! 

0 

1 

1 

1 


D ^ fO, 4 , 7 , 8. 10 , 12, 13, 14) mod 15 
D =» .1,4,5,7,9,10,11,12) 

D = i 2 , 5 , , 3, 10 , 1 1 , 12 , 13 ) 

= , 6 , 7 ,9 , 11 , 12 , 13 , 14) 


D 



42 


Table 5.2 Partition of Differences 

Difference set D = (3,6^7,9,11,12,13,14) mod 15 


o members 
(k) 

Differences 

Correlation 

R^(]<) 

a 

1 

(7-6) (12-11) (13-12) (14-13) 

-1 

2 

(9-7) (11-9) (13-11) (14-12) 

-1 

3 

(6-3) (9-6) (12-9) (14-11) 

-1 

4 

(7-3X11-7) (13-9) (3-14) 

-1 

5 

(11-6) (12-7) (14-9) (3-13) 

-1 

6 

(9-3) (12-6)3-12) (13-7) 

-1 

7 

(13-6) (14-7) (6-14) (3-11) 

-1 

8 

(6-13) (7-14) (14-6) (11-3) 

-1 

9 

(3-9) (6-12) (12-3) (7-13) 

-1 

10 

(6-11) (7-12) (9-14) (13-3) 

-1 

11 

(3-7) (7-11) (9-13) (14-3) 

-1 

12 

(3-6) (6-9) (9-12) (11-14) 

-1 

13 

(7-9) (9-11) (11-13) (12-14) 

-1 

14 

(6-7) (11-12) X2-13) (13-14) 

-1 



43 


This property makes the sequence look ’white' as we would expect 
this from a truly random sequence. 


Partial correlation property ; Every sequence possesses the 
following desirable partial correlation properties [ 14/ pp. 547-8] , 

Theorem 5,1 : Let ^a} be a maximal length sequence of length N. 

Then R ^(k) = R (k) w < n 

dL 

where the normalised partial correlation of the sequence is given 
by 

vJ 1 ^ 

W i=0 J 9-^^ this averaging denoted 

by o'.erbar, is over all N starting positions 

Proof 5 By definition 


Rj^(k) 

a 


. N-1 . W-1 

W /=o t I lio ^ ] 


Int' Tchanging order of summations, we obtain 

— — — . N-l 

'‘a”'’'’ ' S i=of 5 j=0 » (i-j-k) ] 


Hen je, the average partial correlation, averaged over all star- 
ti»' ) positions, is just the periodic correlation function. 

Th* )rem 5.2s Let {a] be a maximal length sequence of length N 

TS'ie? ! ior k / 0 and W < N 

VarC R^'^(k) ] * i (1 + i) d - |) 



44 


where the averaging is taken over all N starting positions. 


Proof : Now Var [ R J^(k) ] = [ R ^(k) 3^ - ( R ^(k) ) ^ 


N-1 


[R^''(k)]^ - I jib ["w iio 


so that 


NW 


W 1 W-1 W-1 

= ' ^ " "^ ' 2 jlo iio R=0 a{i-j)a(i-j-k)a(h-j)a(h-j~l 


Using shift and add property of maximal length sequence, i.e.. 
any si ift of m-sequence is again a m-sequence and addition of two 
different m-sequences is again a m-sequence. we have 


vf-1 W-1 ^ 

[nJ^Ck) ] ^ = — ^ ^ Viin a_(i-j-h)a (h-j-k) 3 

a J=0 1=0 h=0 s s 


m 


where a is a shifted version of the a sequence. Now break the 
s 


double sum into a diagonal and an off diagonal expansion 

V'J-1 W-1 


— , N-1 } W-1 


J 


i h 


N-1 W-1 


W-1 W-1 N-1 




E E 


NW 


2 j=0 1=0-"" ^2 1=0 h=0 j=0 “s 


(i- j-k) a^ (h-j 'k 


i h 


* J 
NW 


[ NW -I- (-1)W.(W-1)3 


SO chat 


1 ^2 


var[ R ^{k) 3 = -V NW -i- (-l)w(w-l) - (- ) 

a 


kT^O 


w 


as i (l 4- •=•) (1 — -~) 

W ^ N'' '"*■ N 



45 


By Chebyshev inequality [l,p.93l] probability distribution 
functions, the value of lying between R^^(k) + Cr, 

where C is a constant and a the standard deviation ( d/ vsiCr ^(k)]) 

is given by PCR ^(k)+CO)-P(R ^{k)-aJ) > i- 1- , where F(x) denotes 
the cxamulative distribution function c.d.f. of the random 
variable X, Hence R^'^(k) has 0,75 probability to lie within 

i f 0.8899 probability to lie within R^^(k) + 3cr ^ 

0.9375 probability to lie within R ^(k) + 4 d and so on, 

3 

Chebyshev inequality provides lower bounds on R ^(k) . 

3 

See table 5,1 for the case of a 15-length sequence. 


5.2.4 Near-ideal 2^^ Length Sequences 

For constructing a good permutation table which has good 
cyclic correlation for all its non zero shifts, we are to look 
for 2^ length sequences with desired properties. We could build 
the table in case we have (2^, 2^“^, 2^ -cyclic difference 
sets. However difference sets with these parameters N=2 , m=2 
& /\ =s 2*^“^ are nonexistent. The parameters do not satisfy 

Lemma 5.1 i.e. (N-l)A* m(m-l) . Put in othemTOrds the number of 
di I'f erences i?^j # 1 < i/j < of ^ 

mod N can not be divided equally among the 2 -1 non zero values. 


Total number of differences = m(m-l) 
Total nonzero elements = N-1 

JJ5 2^-*l 


and 



46 


Table 5 . 3 

Partial 

Correlation Results 

of 15 length Sequence. 

N = 

■15 

R ^(k) = - ^ = 

a 15 

- 0.066 

Partial Correlation Var [r ^(k)} 

width ® 

W 

Standard Deviation 

a = f Var[ R ^'^(k) ] 
a 

15 


0 

0 

14 


0.005 

0.0712 

13 


0.0109 

0.1046 

12 


0.017 

0-1333 

11 


0.025 

0.1608 

10 


0.035 

0.1885 

9 


0.047 

0.2177 

8 


0.062 

0.2494 

7 


0.081 

0.285 

6 


0.106 

0.3265 

5 


0.14 

0.3771 

4 


0.19 

0.4422 

3 


0.28 

0.5333 

2 


0-46 

0.6793 


1 


0.99 


0.9977 



47 


i.e^ the total nximber of differences is not divisible by n^umber 
of non zero elements. Hence it is not possible to contract 2^ 
length •£’>^1} sequences which has near-ideal two level correlation 
properties = 2^ for k=0 and = 0 for k 0. However 

it is possible to partition the differences among the (2^-1) 
non zero elements in such a way that we can get near- ideal 3 level 
correlation properties. If nonzero elements can be expressed 

by differences each and the rest of (2'^-l)-2^ ^ non zero 

elern-'iits by 2’^“^ differences each then such a 3 level correlation 
seqv:enc'er> is possible. 

Number of differences for 2^ ^ elements = (2 -1) .2 


Number of differences for the rest of elements 


Summation of the differences 


= [ (2’^"^-l) + (2^-l)-2^“‘^] 


= 2 ^^-^ ( 2’^-2 ) 

= 2^^“^ (2’^“^-l) 

= Total number of difference;- . 


Ti'u. 


-c thus constructed will have the correlation. 


R (k) * 2 

a 


n 


k = 0 


R (k) * N - 4m + 4-'v 

IBS N*** ^*1” 4A 


9 m 


N t 4 X 



48 


= j' -N + 4 . 2 ” ^ i.e. 0 for k / 0 and for 
< values of k 

+ 4* (2^ -1) i^e* --4 for he ^ 0 and for 2^^^ 

values of k* 

Sec Table 5 *4 for illustxation of 2^ se<juence. In general if 
we could constxuct sequences^ satisfying the differences parti- 
tion as mentioned for sny value of n^ then we can construct the 
permutation table* The sequence and the shifts of the sequence 
which give == 0 k / 0 could be used as columns of the 

permt: tation table * 

However a general solution toE 2^, 2^"^, {2^~^ , 2’^”^-!)] 
-CV‘ iic difference sets has not been attempted so far. Even 
if we could solve instances of this problem/ they will only 
yic ‘.d to a table look up implementation requiring many 2^xn 
bits storage, in the absence of a systematic algorithmic solu- 
tion yielding a hardware of reduced complexity. 

5.2.5 Accept. iblc 2 ” Length Sequences 

We have seen that, based on primitive polynomials of 

degree n# we can construct 2^^-l length binary sequences possessing 

r2n _1 k = 0 

ne n.-ideal correlation property k / 0 * 

Th 3e designs partition the (2^“^) (2’^”^-l) differences into 
2^-2 sets of 2*^“^ difference each/ thus each non zero element 
is expressed in exactly 2^“^ ways. These designs contain 2 . 

onos and 1 zeroes and the corresponding (2 -1/2 ,2 )- 



49 


cyclic difference set D = (a-a....a ) mod(2^-l); m = 2’^"^ contains 

JL ^ m 

n X 

2 mernbers. We could retain the same difference set D = 

could try to construct 2^ length sequence by 
adding one more zero thus making 2^“'^ ones 2""^ zeros. How- 
ever now the differences are to be expressed (a^-aj) mod 2^. 

If this method yields ideal partition of differences then we can 

realise near-ideal 2^ length sequences through the (2^,2^”^, 
n 2 n 2 

{2 , 2““ -l))-cyclic difference set thus obtained. This 

near-ideal 2^ length sequences possess three level correlation 


prop rty r 

0 

II 



II 

0 

k / 0; 

at 

((2^-1) - 2^"^) places 

(-4 

k / 0 ; 

at 

2^-2 places. 


On rhe otherhand we can accept the 2^ length design extended 
frou (2^-1) length design if the correlations for the non zero 
shifts are within certain tolerance with respect to the one 
tht oretically obtainable. This will yield a design of (2^, 2^“"^/ 

( (2’^~2^ + A ) ) cyclic difference set. The tolerance 
coi. Id be say 1 or 2 . When tie tolerance is A=i we get (2^,2^“^, 
( 2 ”"^, +1) - cyclic difference set and the 2^ length- 
so'i’ience constructed will have the correlation property of 

: c) = I 2*^ k = 0 

Lo,- 4,4,-8 k 7^ 0 

We could treat these 2^ length sequences as 'acceptable sequences' 
in an asymptotic sense i.e, as n becomes large the correlation 
values for non zero shifts are close to 0 and for zero shift is 2 ’^, 



50 


Table 5.4 Partition of Differences and Correlation of 2^ Length 

„ . . , A Sequence 

Primitive Polynomial p(X) = 1+X+X^ 


D = 

Non zero member 
k 


(3,6,7,9^11,12,13,14) mod 16 
Di fferences 


Correlation R (k) 

3l 


1 (7-6(12-11) (13-12) (14-13) 0 

2 (9-7) (11-9) (13-11) (14-12) 0 

3 (6-3) (9-6) (12-9) (14-11) 0 

4 (7-3) (11-7) (13-9) -4 

5 (ll-6( (12-7) (14-9) (3-14) 0 

6 (9-3) (12-6) (13-7) (3-13) 0 

7 (13-6) (14-7) (3-12) -4 

8 (14-6) (11-3) (3-11) ( (-14) 0 

9 (12-3) (6-13) (7-14) -4 

10 (13-3) (3-9) (6-12) (7-13) 0 

11 (14-3) (6-11) (7-12) (9-14) 0 

12 (3-7) (7-11) (9-13) -4 

13 (3-6) (6-9) (9-12) (11-14) 0 

14 (7-9) (9-11) (11-13) (12-14) 0 

15 (6-7) (11-12) (12-13) (13-14) 0 

= 4 non zero members are expressed as differences of 3 each 
i.e. the members 4,7,9,12. 

(2^-l)-2'^ = 11 non zero members are expressed as differences of 
4 each, i.e. the members 1,2,3,5,6,8,10,11,13,14,15. 
Pei mutation table could be formed by using any 4 of the sequence 
of shifts k = 0,1,2,3,5,6,8,10,11,13,14,15 


.4-2 



51 


We will try to extend the (2^-1) length designs obtained 
through GF(2^) and see whether the extended 2^ length sequences 
are ’acceptable sequences'. 

Let F denote the 'forward difference' .and let B denote 
the 'back difference j between two elements of the difference set 


a. —a . == F 

1 J 

if 

ai> aj 

== B 

if 



With this definition of the differences each non zero element 
gets represented by some mix of F and B, Further for two elements 
a. and a. if (a. -a.) = k then (a. -a.) = N-k,all differences 

i J 1 J J ^ 

taken modulo N. Hence the whole table of partition of diffe- 
rences becomes symmetrical about the middle. If an element k is 
represented by a set of Fs & Bs then N-k gets represented by the 
same set of F's and B's with reversal i.e. F<=^B. See Table 5.5, 
When the same difference set is retained i.e. D = (a-,ao...a ); 
m = and the length is extended to 2^^ length design 

then the differences partition among the non zero elements follow 
the rule : The 'forward diffe.:ences ' Fs get retained at the same 
locations and 'Back differences' Bs get shifted one place down 
in the list of non zero elements, i.e. 


if a. > a. (a.~a^) mod (2^-1) = (a.-a.) mod 2 ^ = F, 

where F, indicates 'forward difference' of value h 

n 

and if a^ < Sj (a^^-aj) mod (2’^-l) = B^ 




52 


A 4 

Table 5.5 (2-1) -Design Primitive polynomial p(X)=l+X+X 

D * (3,6,7,9*11,12,13,14) mod (2^-1) 


Non zero members 
k 


Di fferences 


To tax 
Fs 

BS 

1 

(7-6) 

F 

(12-11), 

F 

(13-12) 

F 

(14-13) 

F 

4 

0 

2 

(9-7) 

F 

(11-9) 

F 

(13-11) 

F 

(14-12) 

F 

4 

0 

3 

(6-3) 

F 

(9-6) 

F 

(12-9) 

F 

(14-11) 

F 

4 

0 

4 

(7-3) 

F 

(11-7) 

F 

(13-9) 

F 

~ (3-14) 

B 

3 

1 

5 

(11-6) 

F 

(12-7) 

F 

(14-9) 

F 

(3-13) 

B 

3 

1 

6 

(9-3) 

F 

(12-6) 

F 

(13-7) 

F 

(3-12) 

B 

3 

1 

7 

(13-6) 

F 

(14-7) * 
F 

(3-11) 

B 

(6-14) 

B 

2 

2 

8 

(14-6) 

F 

(11-3) 

F 

(6-13) 

B 

(7-14) 

B 

2 

2 

9 

(12-3) 

F 

(3-9) 

B 

(6-12) 

B 

(7-13) 

B 

1 

3 

10 

(13-3) 

F 

(6-11) 

B 

(7-12) 

B 

(9-14) 

B 

1 

3 

11 

(14-3)' 

F 

(3-7) 

B 

(7-11) 

B 

(9-13) 

B 

1 

3 

A 


12 

(3-6) 

B 

(6-9) 

B 

(9-12) 

B 

(11-14) 

B 

13 

(7-9) 

B 

(9,11) 

B 

(11-13) 

B 

(12-14) 

B 

14 

(6-7) 

B 

(11-12) 

B 

(12-13) 

B 

(13-14) 

B 




4 



53 


becomes mod 2^^ = length design. 

j3j^ the Back difference of value h of (2^-1) length design becomes 
back difference of value htl of 2^^ length design as the 
modulus changes from (2^-1) to 2 ^, See Table 5.6 for an extended 
design from (2^-1) design. 

The extended design of 2^ length sequence, derived from 
Jcetaining the same difference set obtained from (2"^-!) length 
<3.esign, given in Table 5,6, is a near-ideal sequence. This is 
loecause the correlation function values of the extended design 
’exactly meets (16,8(4,3)) -cyclic difference set construction. 

ZEn general a (2^-1, 2’^-^, 2^“^) -cyclic difference set will lead 
-fco near-ideal 2 length sequence design through (2 ,2 U , 
2 ’^” 2 _ 3 _) difference set, if the 'F‘ forward difference' 

and B'back difference* partition follows the following postulates. 

1 . The F portion of the partition should be monotinically 

cdecreasing in width for increasing values of nonzero elements 
s.n<j should never increase. 

2 . There should be exactly 2 places at which the width of 

F ,,:alls by 1. 

Tl extended 2^^ design has correlation function value of R^(k) = 

— : at these steps and R^(k) = 0 at all other places. See Fig. 

3 . i for a partition leading to near-ideal 2 ^ length sequence. 

The extended design will lead to 'acceptable sequence' 
of length 2 '^ if the postulates 1 and 2 cited above are not violated 



54 


4 , 4 

Table 5.6 2 -Design extended from (2 ~1)-Design 

D = ( Primitive polynomial p(X) * l+X-i-X^ 

D s (3^6,7,9,11,12,13,14) Mod (2^) 

Nonzero members Differences Total Correlations 







Ps 

Bs 

R 

a 

1 

( 7 - 6 ) 

F 

(12-11) 

F 

(13-12) 

P 

(14-13) 

F 

4 

0 

0 

2 

(9-7) 

P 

(11-9) 

F 

(13-11) 

F 

(14-12) 

F 

4 

4 

0 

3 

(6-3) 

F 

(9-6) 

P 

(12-9) 

F 

(14-11) 

P 

4 

0 

0 

4 

(7-3) 

P 

(11-7) 

P 

(13-9) 

P 


3 

0 

-4 

5 

(11-6) 

P 

(12-7) 

F 

(14-9) 

F 

(3-14) 

B 

3 

1 

0 

6 

(9-3) 

F 

(12-6) 

P 

(13-7) 

F 

' (3-13) 

B 

3 

1 

0 

7 

(13-6) 

F 

(14-7) 

F 


(3-12) 

B 

2 

1 

-4 

8 

(14-6) 

F 

(11-3) 

F 

(3-11) 

B 

(6-14) 

B 

2 

2 

0 

9 

(12-3) 

F 

i 

' (6-13) 

B 

(7-14) 

B 

1 

2 

-4 

10 

(13-3) 

F 

(3-9) 

B 

(6-12) 

B 

(7-13) 

B 

1 

3 

0 

11 

(14-3) 

F 

(6-11) 

B 

(7-12) 

B 

(9-14) 

B 

1 

3 

0 

12 


(3-7) 

B 

(7-11) 

B 

(9-13) 

B 

0 

3 

-4 


13 (3-6) (6-9) (9-12) (11-14) 00 0 

B B B B 


14 (7-9) (9-11) (11-13) (12-14) 04 0 

B B B B 

(6-7) (11-12) (12-13) (13-14) 0 

B B B B 


15 


4 


0 



55 


by more than the' tolerence/i, , The postulates can be modified 
to read as follows, 

1. The F partition should have a general trend of decreasing 

width with increasing value of non zero elements. 


1 

2 


F 


^n~2 „ 

2 Steps 


of 1 




2^-2 

2^-1 


(2'^~1) -Design 


P 


2^-Design 


xR^{k)=-4 
/at 2 places 

R (h)=0 at 
a 

other places. 


I 


B 




B 


Fig* 5.4 Near-ideal 2^-Design, 

2. At no place the steps in P width can increase by more 

than tolerance A. and decrease by more than (li-A). There is no 

restriction on the number of places of occurrence of step. 

The correlation function values will be ^ (for 

A- l) at places where F width increases by A ~ -8 at 

places where P decreases by (H-A), places where 

F decreases by A and ~ 0 other non zero shifts. 

. , , (^n— 1 /,^n— 2 «n— 2 ^ \ 

Thus such a partiton of differences leads to U .2 -> 

-i- A) -cyclic difference set, which leads to 'acceptable sequence 

designs of length 2’^. The partition-: of differences belonging 

to Singer construction via GF( 2^) lead to 'acceptable sequence' 

< 3 . 6 si< 3 ns# S 06 Tsblos 5«7 to 5 #11* 



56 


p(X) 


Table 5.7 2 -Design through Primitive 


D 


Nonzero 

e lements 

1 

2 

3 


16 

17 

10 

19 

20 
21 
22 


= 1 X 

C4. 6 ,7 , 9 , 11 ^ ^ ^ , 19 


t2''-l) length sequence 
DiffeFence 

FPFFFFFP 
FFFFFFFF 
FPFFFFFP 


Polynomial 

, 20 . 21 -^, 23 - 26 , 29 . 30 ) 

2 ^^ length seguenc 


4 

F F F F F F F 

JL 

8 

0 

5 

F F F F F F I 

'is 

7 

1 

6 

F F F F F F 3 

*' B 

7 

1 

7 

FFPFFFFjB 

7 

1 

8 

F F F F-F F 

B B 

6 

2 

9 

FIF F F F F^ 

B S 

6 

2 

10 

F F F F F F 

iJb 

7 

1 

11 

F F F F F F^ 

[b b 

6 

2 

12 

F F F F F^B 

B B 

5 

3 

13 

F F F F F F 

ja B 

6 

1 

14 

F F F F Fli 

3 B B 

5 


15 

F F F F f|; 

B B a 

5 




23 

24 

25 

26 
27 
2 '. 
V'- 
3i’ 

31 


F F FlB B B B B 

fffJbbbbb 

F fFb B B B B B 
F B B B B 

F B B B B B 

f|bbbbbbb 

F fIb B B B B B 
F F]B B B B B B , 
fIb B B B B B B 
FIB B B B B B B 
f\s B B B B B B 
BBBBBBBB 
BBBBBBBB 
BBBBBBBB 
BBBBBBBB 





Table 5.8 2^-Design through p(X) == 1 -i- X + -f -t 

D = (4,5,7,9,12^16,18^19,20,21,22,24,25,28,29,30) 




Table 5.9, 


2'^-Design tlirough pi.X) - 1 

D = (4,6/3,^9^10,12,13,17,18,19,20,21,24,25,27,30) 


Nonzero (2^- 

elements 

-1) length 

sequence 



2^ length 

sequence 

k 

Difference partition 

■ Fs 

3s 

Bs 

Fs 

TTkT 

a 

1 

F 

F 

F 

F 

F 

F 

F 

P 

8 



8 

0 

2 

F 

F 

P 

F 

F 

F 

F 

• F 

8 



8 

0 

3 

F 

P 

F 

P 

F 

F 

F 

F 

8 

0 

^0 

8 

0 

4 

P 

F 

F 

P 

P 

F 

F 

P 

8 

0 

0 

8 

0 

5 

F 

F 

F 

F 

F 

P 

F 


7 

1 

0 

7 

-4 

6 

F 

F 

P 

F 

F 

F 

F 

3 

8 

0 

1 

8 

■1-4 

7 

F 

F 

F 

P 

F 

P 

F 

B 

7 

1 

0 

7 

-4 

8 

P 

F 

P 

F 

F 

F 

F 

B 

7 

1 

1 

7 

0 

9 

F 

P 

F 

F 

F 

F 

F 

B 

7 

1 

1 

7 

0 

10 

F 

F 

F 

P 

F 

It 

B 

B 

5 

3 

1 

5 

~8 

11 

F 

F 

F 

F 

F 

F 

B 

B 

6 

2 

3 

6 

i-4 

12 

F 

F 

F 

F 

F 

F. 

B 

B 

6 

2 

2 

6 

0 

13 

F 

P 

P 

F 

F 

B 

B 

B 

5 

3 

2 

5 

_4 

14 

F 

F 

P 


B B 

B 

B 

4 

4 

3 

4 

-4 

15. 

P 

F 

P 

F 

3 

B 

B 

B 

5 

3 

4 

5 

1-4 

16 

P 

F 

f| 

B 

B 

B 

B 

B 

3 

5 

3 

3 


17 

F 

P 

F 

F 

h 

B 

B 

B 

4 

4 

5 

4 

-1-4 

18- 

F 

P 

F 

B 

B 

B 

B 

B 

3 

5 

4 

3 

-4 

19 

F 

F 

B 

B 

B 

B 

B 

B 

■ 2 

6 

5 

2 

-4 

20 

F 

F 

B 

B 

B 

B 

B 

B 

2 

6 

6 

2 

0 

21 

F 

F 

F 

B 

B 

B 

B 

B 

3 

5 

6 

3 

1-4 

22 

P 

fi 

B 

B 

B 

B 

B 

B 

1 

7 

; 5 

1 

-8 

23 

F 

B 

B 

B 

B 

B 

B 

B 

1 

7 

7 

1 

0 

2^ 

P, 

B 

B 

B 

B 

B 

B 

B ' 

1 

7 

7 

1 

0 

25 

It 

B 

B 

B 

B 

B 

B 

B 

0 

8 

7 

0 

_4 

26 

TTi 1 

_tJ 

B 

B 

B 

B 

B 

B 

B 

1 

7 

8 

1 

i-4 

27 

B 

B 

B 

B 

B 

B 

B 

B 

0 

8 

7 

0 

^4 

28 

B 

B 

B 

B 

B 

B 

B 

B 

0 

8 1 

8 

0 

0 

29 

B 

B 

B 

B 

B 

B 

B 

B 

0 


8 

0 

0 

30 

B 

B 

B 

B 

B 

B 

B 

B 

0 



0 

0 

31 











"^8 


0 



i 


Table 5.10 2^ Design through p(X) = 1 -i- ^ X^ 

D = (1,6,8,10,11,12,14,15,19,20,21,22^23,26,27,29) 


Nonzero 

eleraents 

(2 

n 

1) 

length 

sequence 


2^ 

length sequence 

k 

Difference 

partion Fs 

Bs 

Bs 

Fs 

R (k) 
a 

1 

F 

F 

F 

F 

F 

F 

F 

F 

8 



8 

0 

2 

F 

F 

F 

F 

F 

P 

F 

F 

8 


""0 

8 

0 

3 

F 

P 

P 

F 

F 

F 

F 

ll 

7 

1 

0 

7 

-4 

4 

F 

F 

P 

F 

F 

F 

F 

F 

1 8 

0 

1 

8 

-!-4 

5 

F 

F 

P 

F 

F 

F 

P 

I**— 

B 

7 

1 

0 

7 

-4 

6 

P 

F 

F 

P 

F 

F 

F| 

B 

7 

1 

1 

7 

0 

7 

8 

F 

F 

F 

F 

F 

F 

P 

P 

F 

F 

F 

F 

P 

F 

B 

8 

7 

0 

1 

1 

0 

8 

7 

1-4 

-4 

9 

P 

F 

F 

F 

F 

F 

P 

3 

7 

1 

1 

7 

0 

10 

F 

F 

P 

F 

p] 


B 

B 

5 

3 . 

1 

5 

-8 

11 

F 

F 

F 

F 

F 


B 

B 

6 

2 

3 

6 

:-4 

12 

F 

P 

F 

F 

F 

B 

B 

B 

5 

3 

2 

5 

-4 

13 

F 

P 

F 

P 

F 

B 

B 

B 

5 

3 

3 

5 

0 

14 

F 

F 

F 

F 

F 

1 

B 

B 

B 

5 

3 

3 

5 

0 

15 

F 

F 

F 

F 

F 

B 

B 

B 

5 

3 

3 

5 

0 

16 

F 

F 

F 

B 

B 

B 

B 

B 

3 

5 

5 

3 

0 

17 

F 

F 

F 

B 

B 

B 

B 

B 

3 

5 

5 

3 

0 

18 

F 

F 

F 

B 

B 

B 

B 

B 

3 

5 

5 

3 

0 

19 

F 

F 

F 

B 

B 

B 

B 

B 

3 

5 

5 

3 

0 

20 

F 

F' 


B 

B 

B 

B 

B 

2 

6 

5 

2 

-4 

21 

F 

F 

F 1 

|b 

B 

B 

B 

B 

3 

5 

6 

3 

'1*4 

22 

f‘ 

B 

B 

B 

B 

B 

B 

B 

1 

7 

5 

1 


23 

F 

B 

B 

B 

B 

B 

B 

B 

1 

7 

7 

1 

0 

24 

B 

B 

B 

B 

B 

B 

B 

B 

0 

8 

7 

0 

^4 

25 

P 

B 

B 

B 

B 

B 

B 

B 

1 

7 

8 

1 

1*4 

26 

F' 

B 

B 

B 

B 

B 

B 

B 

1 

7 

7 

1 

0 

27 

3 

B 

B 

B 

B 

B 

B 

B 

0 

8 

7 

0 

^4 

28 

29 

P 

B 

B 

B 

B 

D 

B 

B 

B 

B 

B 

B 

B 

B 

B 

B 

1 

0 

7 

8^ 

8 

7 

1 

0 

*1-4 

^4 

30 

B 

B 

B 

B 

B 

B 

B 

B 

0 


8 

0 

0 

31 













0 





mnt%Te 

#l*tniint» 


l«ngth »#qu«nc« 
DifC«rence Partition 


fJtrrrfTFfFFPwrrF 
fFFFFFPFFFI’FPrFr 
FF,FPFFPFFFFFFFFF 
FFFFFFFFFFFPFFPP 
F P F F F F F FFFFFFFFF 
FFFFFFFFFFFFFF Ffi" 
FFFFFfFFFFFFFFFB 
FFfFPFFFFFFFFFPB 
FFFFFFFFFFFFFFFB 
FFFFFFFFFFFFFFFB 
FF'FFPFFFFFPFF pIb B 

.. f'pffpppppfpffpbb 

FFFFPFFFFPPF pj^B B 
FFFFPFFPFFPF F^B B 
FPP'FFFPFFPPP pfa B B 
FFFPFP'PFPPFPFBBB 
FFFFFFPF'FPPPPBBB 
FFFFPFFFPFPf[^BBB 
FFPPPFFFFFF F^B B B 
FFF'FFFFPFIfF F p| B B B 

ffffFfpfff pfe b b -b b 

' FFrPFFFF F F Ff B B B B B 
FFFFFFFF pfs b' B B B B B 
FPFFFFFF F ^ B B B B B • B 
FFFP'PFFF fIb B B B B B B 
FFFFFFFFFBBBBBBB 
X F F F F F F f[^B B B B B B B 

F F F F F F F F fIb B B B B B B 

FFFFFFFF F^B B B B B B , 
F if F F F F P f\f[ b B B B B 8 B 
F F F F F F f | b 8 8 B 8 8 B 8 

F F F F F F F F f| b B B B B B B 

F F F F F F fJb B B B B B 8 B B 

F F F’ ;p F f[^b BBBBBBBB 
F F F F F F ]F]£‘b B B B B B B B 

F F F F F F F^B B B B B B B B 

, F F F F F F fFb B B B B B B B B 

FFFFFFFBBB B B B B B B 
F F F F F f[Tb B B B B B B B B 

F F F F F F f| b B B B B B B B B 

v r f f fIb 8 bbbbbb'bbb 
F F F F f[ b BBBBBBBBBB 
F F F [bB BBBBBBBBBBB 
F F f[i^B BBBBBBBBBBB 
FFF^BBBB BBBBBBBB 
F F f[b BBBBBBBBBBBB 
FFFBBB. BBBBBBBBBB 
FFFB BBBBBBBBBBBB 
F f|^B BBBBBBBBBBBB 
F F^l BBBBBBBBBBBB 
F f(b BBB8BBBBBBBBB 
F^B 88 BBBBBBBBBBB 


2 l«ngth a«quenc« 


^B, BBBBBBBBBBBB B^B^ 
FBBBBBBBBBBBBBBB 

8 BBB 8 BBBBBBBBBBB 

bbbbbbbbbbbbbbbb 

BBllBBlBBiBBSaBB 

BBBiBlBBlBBBBBBB 

BBliBBBBBBBBBBBB 















62 


n-2 

^ 2 Differences-^ 



5.2,7 Enumeration of Tables 

The construction procedure of field elements of GP(2’^), 
using primitive polynomials of degree n^ gives a good permutation 
table. Furthermore the *n' columns of the binary 'n* tuple 
representation of the 2^ field elements could be permuted among 
themselves and used as permutation tables. This gives nl tables 
for every primitive polynomial of degree n. 

The number of primitive polynomials of degree n is given 
by the 0 (2^-l)/n v/here Eule^ JZf- function 




63 


0’(x) is defined by 

J2f(x) = Tl x=l 

/Ji > 1 '• ^ 

\ (Integer x expressed as 

I product of powers of primes) 

[j>-l if X = p a prime 

Exhaustive table of primitive polynomials of degree upto 
34 appear in [ 20/Pp. 251-270] . Primitive trinomials of degree 
upto 1000 is given in [ 28], [29] . See Table 5.12 for the 
number of permutation tables that can be formed for various 


values of n. 



64 


Table 5 

.12 Niimber of 

Permutation Tables 





Degree 

n 

(2’^-.l) 

Number of 
primitive 
polynomials 

N = 

m n 

Number of Permute 
tables 

1 

N --nix N 
P i 

1 

1* 

1 


1 



2 

3* 

1 


2 



3 

7* 

2 


12 



4 

15 

2 


48 



5 

31* 

6 


720 



6 

63 

6 


320 



7 

127* 

18 

90, 

720 



8 

255 

16 

645, 

120 



9 

511 

48 

17,418, 

240 



10 

1,023 

60 

2.17728 

E 

J- 

1 

8 

11 

2,047 

176 

7.02535 

E 


9 

12 

1,095 

144 

6.89762 

. ® 


10 

13 

8, 191* 

630 

3, '^2302 

E 

t 

1 

12 

14 

16,383 

756 

6.59067 

E 

» 

13 

15 

32,768 

1,800 

2.35331 

E 


15 

IS 

65,535 

2,048 

4.28498 

E 


16 

17 

131,071* 

7,710 

2.74235 

E 

't* 

18 

18 

,262,143 

8,064 

5.16287 

E 

r 

19 

19 

524,287* 

27,594 

3.35667 

E 

'i- 

21 

20 

1,048,575 

24,000 

5.83896 

E 


22 

21 

2,097,151 

84,672 

4.32597 

E 


24 

22 

4,194,303 

120,032 

1.34916 

E 

i" 

26 

23 

8,388,607 

356,960 

9.22813 

E 

•f 

27 

24 

16,777,215 

276,400 

1.71541 

E 

■I' 

29 


* I-lersenne Primes 



CHAPTER 6 


HARDWARE I!4PLEM£NTATI0N 

'We have seen in chapter 5y that the n tuple represen- 
tation of Galois Field GF(2^) generates a good permutation table. 
Hence any hardware realisation of the system will involve Galois 
Field arithmetic. Galois Field arithmetic like addition, 
multiplication, exponentiation of field elements is essentially 
carried out by basic operation of binary field arithmetic. This 
requires basically modulo 2 addition (Ex-OR logical operation) 
and multiplication ( AND logical operation) of binary field ele- 
ments (0,1). Efficient Galois Field arithmetic hardware archit- 
ectures are reported in literature, [s l[l3]/[ 27],[26] and the 
trend indicates that polynomial complexity hardware is distin- 
ctly possible. 

In this chapter we give a hardware scheme to implement 
the cipher system algorithm discussed in chapter 5, After making 
an initial approach (Section 6.1) in respect of hardware requi- 
rements of Encryption (section 6.1.1) and of decryption ^sec. 
6.1.2), we alter the basic structure, to circumvent the difficult 
'dircrete logarithm problem' required in decryption, using 
involuti.on (section 6.1.3) and we finally arrive at a new 
stri.cture (section 6.2) Section 6.2.1 presents the Slock schematic 
Subsequent sections 6.2,2 and 6.2,3 explore the set of permuta— 



66 


■fcions geneirated by the stiructure and cryptanalysis of the final 
structure respectively, A hardware, designed using available MSI/ 
LSI chips, and its performance in respect of speed (throughout) 
and hardware complexity are given in section 6.3. 


6.1 Initial Approach 

6.1.1 Encryption 

We are to use Galois Field GF(2^) element n- tuple 
representation and its cyclic shifted versions as the permuta- 
tion tables, as we have established the usability through (2^-1 , 
2^“^, 2^“^) -cyclic difference sets. A general sketch of the 
cipher is given Fig. 6,1* 


Plaintext (m) 



Key (k) 


Pig. 6.1 General sketch of the cipher 


A n-bit key specifies the primitive polynomial of degree n 
plu.i the colximn permutation to be used, Galois Field arithmetic 
operation based on this has to be carried out on n-bit wide 
arithemetic sum modulo 2^ of n-bit plaintext and n bit key 
spe edified by K, The n bit wide output of the GF(2’^) compixtation 





67 


is the cipher text. Here the usable key space is 2^^ specified 
by 2n bit key K. Encryption is carried out by first performing 
addition modulo 2^ and then Galois Field GP(2’^) computation. 
Linear complexity ( 0(n)) hardware exists for carrying out modulo 
2^ summation of 2~n bit words, A ripple carry adder/carry look 
ahead adder could be used for this purpose, Galois Field compu- 
tation in GF(2^) involves taking exponentiation of primitive 
element a (for 2-1 elements a ...a and also some 

hardware to deal with 0 element ( of the field. Exponentia- 
tion of any field element in GF(2^) can be carried out by GF(2^)- 
multiplier hardware. This hardware can be used to do exponen- 
tiation by successive multiplications element oc , Thus a^, a^, 

2 2^-2 

a ... a can be computed. However this will involve exponen- 

tial time complexity (0 (2^'^^) on the average. Tliis could be 
speeded up by using 'left to right binary method of exponentia- 
tion [l6. p.441 3 . In this method if one has to compute 
the following steps are followed, x is first written in binary 
number system b^^j^ . . .b^b^^ then, after suppressing leading 
zeros, each '1* is replaced by the pair of letters SX (S = 
square, X = multiply) and 0 is replaced by the setter S and the 
'SX' appearing at the left is deleted. The sequence of opera- 
tic ' to compute a ^ is given by this string of '3' and 'X' on the 
eler ,ent a , starting from left to right. For example 

100 _ (1100100)2 


1100100 


SXSXSSSXSS 



68 


This implies 'square oc ^ multiply byot, square, square, square, 
multiply by a , square, square 


100 

a 


= (((((a^a)^)^)^a)^)^ 


This can be verified as correct by seeing the power RHS evaluates 
to ( (2 M) 2.2. 2+1) 2. 2 = 100. Hence exponentiation can be carried 
out in linear time complexity 0(n) where n represents the nxamber 
of bits required to represent the power x. The number of multi- 
plications required is bounded by (n-l)f (n-1) = 2(n-l) i.e. (n-1) 

squares and (n-1) multiply leading to a total of 2 (n-1) multip- 
lications, For particular values of x it takes ([_ log 2 xJ -1) + 
(■^(x)-l) multiplications, where j__yj indicates trunclation of y 
to integer (floor of y) and ii) (x) indicates the nujTiber of ones in 

binary representation of x. Exponentiation takes care of genera- 

1 2 2^-1 

tion of a , a , . . .a . Element a = 0 can be taken 

care of by appropriate detection circuit and over-riding the 

GP(2^) exponentiation. See Fig. 6.2 

Plaintext (m) Key (k) 



Pig. 6.2 Encryption Hardware Schematic 







69 


Hence it appears feasible to realise polynomial time 
complexity for encryption. 

6.1.2 Difficulty in Decryption 

Decryption process involves translating the cipher text 
into plaintext and this can be achieved by essentially tracing 
the path of encryption in the reverse direction. In the proposed 
scheme this can be done provided we can carryout inverse opera- 
tions of GF(2^) computation and addition modulo 2’^. Inverse 
operation of addition modulo 2^ can be carried out by a hardware 
subtracter mod 2^^. In the inverse operation of GF(2^) compute- 

oo 

tion, the case of element « could again be taken care by over- 
riding by hardware detector. However the case of elements 

*1 Q 0^0 

a' a ” pose a harder problem in inverse calculation. 

In Galois Field GF(2^)/ the field elements A(a) » oc^ mod p(oc) 

take on the value of each non zero field element A(a ) in GF(2^) 

exactly once, as the value of x ranges through integers 0,1,.,. 

2’^-2. Conversely, to each nonzero field element ) in GF(2’^), 

we associate the integer x, and say that x is the logarithm of 
on ■» 

A(o^) . Since « = 1 mod p(<^), the logarithm is only defined 

mod 2^-1. We refer to the calculation of x, x = loga, A(Q:) over 
GF(2^), as the 'discrete logarithm problem' [ 4,xp 73-82]. One 
can, using the GF(2^) multiplier hardware, repeatedly multiply 
A(cc) by a“^ and count the number of multiplications required to 
obtain the element l=a°. Ihis woulc require exponential time 



70 


complexity, on the average about 2^'’^ time steps, if the field 
is small enough, one can tabulate all field elements and their 
logarithms, and use this table for computation within the field, 
much as one uses a table of natural logarithms for calculation 
involving real numbers. See Table 6.1 for log table of GF(2’^). 

Table 6.1 Log Table for GF(2^) using p(X) = l-i-X+X^ 


Field element A(£x) log^./ A(<^) 

1 

0 0 0 0 a 

0 0 0 1 0 

0 0 10 1 

0 0 11 4 

0 10 1 2 

0 10 1 8 

0 110 5 

0111 10 

1 0 0 0 3 

1001 14 

10 10 9 

10 11 7 

110 0 6 

1101 13 

1110 11 

1111 12 



71 


However for a table-look up scheme we require huge storage of 
(2^-1) n-bit words. Pew other algorithms, namely Adleman 
Algorithm [2lj,[2j Waterloo algorithm [ lal & Copper Smith algorithm 
[ 45 ], ireported in literature indicate that they all take exponen- 
tial time complexity to evaluate logarithms in GF(2^) . 

6.1.3 Solution through Involution 

However the problem of evaluating logarithm can be cir- 
cumvented in the implementation of the cryptographic system, by 
modifying the structiure to accomodate 'involution' [l?, p 236]. 

Definition ? Let n block mean a sequence of 0 and 1 of 

5 o 

length n X = j^a vector of length N 

of (0,1). Then a mapping "n: on Z, into Z^ is called an 

2 

'involution' if Tt =1, the identity transformation. 

Let the transformation f be a mapping on Z^ ^ then 

consists of the following steps 

Transformation of right-half N-block y of (x,y) by f 
f s y = f(y) 

. Component by component addition (modulo 2) of this result 
to '.he left half N block x of (x,y) i.e. f(y)@ ^ 

. Concatenation of f(y) (±)x to the right half of N-block y 

i-®* 2^ 

2 

Corap a ting Tt ^ we find 



72 


(s-z) = (j^f(z>/ Z> f 

= (x€)f(2) 0f(x)/ z^ 

= (X/Z^ since f(;^) (J) f(;^) = 0 

Thus ^ is an involution and is an element of symmetric group 
(Proof s If (x)7t = (y;) 7t then 

(x) = X = y = (y) 

Let ^ be intercharge mapping 

V.’ (x,y) > (Z^2S) 

'yis also an ’involution', 

% It Tt "K 

Let 0 . product of these mappings p = f 2 * * fm* 

fi) = ')) = I (identity permutation) we have '■'1“^ = • *^f 2 ^ 1 *, 

—1 

Then encryption is done by 7* and deci^^ption by ’n: using the 

ir ir 

same hardware structure. Hence using this 'involution' structure 
we need only to find exponentiation in GF(2’^), thus avoiding 
discrete logarithm problem. We simultaneously realise a hardware 
structure which can be same for encryption and decryption. See 
fig, 6.3 ! 

6,2 Pinal Structure and its Capabilities , 

6,2 ,1 Bloch Schematic | 

Using the product of involutions as the basic building 

j 

block we can finalise the structure. A minimum of 2 rounds will ; 
ensure that no part of plaintext appear at the cipher text I 

wituout going through our GF(2’^) based transformation. Many I 



73 



One Round of Cipher System % 

Fig. 6.3 Product of two Involutions and 

rou 'ds of this structure could be implemented depending on the 
speed requirements. See fig. 6,4 for the final block schematic 
usij g 4 rounds. 

The proposed system requires a 8n bits key in the form 
of fC^^K 2 /K 2 & each of 2n bits. However by using Keyschedulinq 
aloc.rithm K^^K 2 /K 2 & could be derived from ^2n bits of key 
by I sing shifted versions of key. 


6. 2 Permutation Space of the Cipher System 

The involution structure we have used in the cipher 
system contains only 'even' permutations. The mappings used 
we”.' a and We will prove for 1 the mappings contain 

























75 


only even permutations. Lemma 6.1 s For any n >1, .Vis an 
even permutation. Proof : ^exchanges, in pairs, a vector 

and (^^x) . Hence there is a transposition involved 
between (x,y) and (y^x^ transposition for (x,x) . (X/X) 

form occurs for 2^ values as both x, & y are n bit binary vector. 
Hence the no. of transposition is given by (2^”-2^)/2 and is 
even, 2^^ gives the total values, out of which 2^^ are invariant 
under for the remaining (2 ^^-2^) the transformation 
exchanges them in pairs. See table 6.2. 


Table 6.2 V-^ven Permutation 

X 

0 0 
0 0 
0 0 

j 0 0 

0 1 
0 1 
— 0 1 
0 1 
1 0 
*— 1 0 
1 0 
1 0 

1 1 

1 1 
1 1 
1 1 


0 

0 

1 

1 

0 

0 

1 

1 

0 

0 

1 

1 

0 

0 

1 

1 


0 

1 - 

0 * 

1 

0 

1 

0 

1 

0 

1 

0 

1 - 

0 

!■ 

e 


* invariant foirm 
2 

total no. 2 =4 


* 


-traiispositions 

total no .= ( 2^^-2^) /2 

= { 2 ^- 2^)/2 
= 6 



76 


Lemma 6.2 ; If n > 1 t±ien is an even permutation for every f ^ . 

Tif^^ is a permutation in our case. Hence each vector 0 
(all zeros) to 1 (all ones) occur only once in the function 
f ^ 2 ) of the transformation. 


Let 0 denote all zero vector then the transformation fixes 
(invariant) the elements and the rest of the elements are exchanged 
in pairs. The nxamber of transpositions is given by (2^’^-2’^)/2 
and is even. See table 6.3. 


Table 6.3 ix^^-Even Permutati'’'n 


X 

0 0 
0 0 
0 0 
0 0 
0 1 
0 1 
0 1 
0 1 
1 0 
1 0 
1 0 
1 0 


z 

0 0 
0 1 . 
1 0 
1 1 
0 0 

0 i 

1 0 
1 1 
0 0 
0 1 


1 

1 

1 

1 


1 

1 

0 

0 

1 

1 


0 ■ 
1- 
O' 
1 
0 
1 


X 

0 0 
0 0 
0 0 
0 0 
0 1 
0 1 
0 1 
d 1 
1 0 
1 0 
1 0 
1 0 
1 1 
1 1 
1 1 
1 1 


f(z) 
0 1 

0 0 
1 1 
1 0 
0 1 
0 0 
1 1 
1 0 
0 1 
0 0 
1 1 
1 0 
0 1 
0 0 
1 1 
1 0 


* 2’^ = 2"^ = 4 places where f(y) = 

3 cranspositions, total number = (2 


x(9f (y) , 
0 1 
0 0 
1 1 
1 0 
0 0 

-01 
1 0 
1 1 
1 1 

-10 
0 1 
0 0 
1 0 

— 11 
0 0 
0 1 


z 

0 0 
0 1 
1 0 
1 1 
0 0 
0 1 
1 0 
1 1 
0 0 
0 1 
1 0 
1 1 
0 0 
0 1 * 
1 0 
1 1 




0 and hence invc riant 

2V2 = 6 . 


.2 



77 


Hence the cipher system which does several rounds of tliese V and 

transformations lie within the group of even permutations 

rx 

A(22n) • 

fCy) can be seen as n columns of 2^ length binary sequences 

and it has been proved in literature [6][lo] that if one uses 

all 2 * functions one can generate A22n. In our cipher system 

2 r*i 

we are using only a chosen set of 2 functions in each round. 

6.2.3 Cryptanalysis of the Final Scheme 

Ciphertext only attack depends on the side information 

of the source of plaintext in terms of probable words. It is 

difficult to maintain a catalogue and collect statistics on 2^ 

19 

of n bits block as even for n=64 thus would mean x 10 

entries . 

The proposed cipher system uses a minimum key space of 

n 19 

2 keys of length n bits. Hence key trial on 1,8x10 keys is 

also impractical. 

The known plaintext and chosen plaintexl. attacks corres- 
pond to passive and active sy.'.tem identification problems 
res;joctively [ s] . Unlike in automatic fault diagnosis, the 
goa.l here is to build systems which are difficult, rather than 
eas-, to identify. The cipher transformation us.i,ng Galois Field | 

GF(;’^) computations is highly nonlinear with nonlinearity of i 

all orders present (See table 6.4) and hence one requi.res plain- 
tex : and corresponding ciphertext for 2 ^ elements as the system 



/ 


transformation is given by 2^x2” binary matrix. Then one has to 
solve the 2*^ linearly independent equations to identify the 
system matrix. Gbllection of plaintext-ciphertext pairs for 2^ 
different values itself is infeasible. Further approximately 
2^^^ operations are reqxiired to compute the matrix. If the 
transformation were linear or affine then the system matrix size 

3 

is only nxn and could be solved in n operations. If n = 64 
then tliis means approximately 0,3 million operation which could 
be carried out in 0.3 secs, assuming a 1 s instruction time. 


Table 6.4 Reed Muller Canonical Boolean Expression 

5 

Uses standard basis for 2“’ sequences obtained through GP(2 ) . 


Sequence s D 


(4,6,8,9,10,12,13,17,18,19,20,21,24,25, 

27,30) 





^4© ^3^2© ^4=^3© ^4’'l='o 

^4^2’^0© ’‘4’^3^o® ^3^2^1® =‘4=^2’^!© 


Sequence :: D = 

f (x^X^X^XgX^^) = 

Sequence D = 

f (x^-.c,x^x„x . ) = 

0x234: 


(4,6,7,9,11,15,16,17,19,20,21,22,23,26,29,30) 

=^40 =^3^0© =^4*0© ^ 1 ^ 2 ® ==4^3© 

^3='2^o@ ’"4^2^!© ’'4="3'^1® 

(1,6,8,10,11,12,14,15,19!;.20,21,22,23,26,27,29) 

^1*^ ^2^^ ^0^1'^ ^ 0 ^ 4 ® ^1^2® ^1^3© ^1^4© ^ 2^3 
& ^ 3 X 4 © ^^^1=^3© ^q=^3'"4© 

<3 X2K^x^<S) ^ o "' i ^ 3 "' 4 - 


12 4 



79 


6.3 Hardware and its Performance 

This section presents a detailed design of the block cipher 
of length 64. Addition modulo 2^^ is carried out by 8 
Pull Adders connected in series, (Pig. 6.5). To add two 32 bits 
word, it takes a worst case total of ^ 200 n sec including the 
time to load the operands using LSTTL ICs. [3oj, (si"] , During the 
4 rounds of the cipher this addition has to be carried out as many 


times. 

GF(2^^) exponentiation is done through repeated multiple 

^ Q, 

cations using 'left to right binary method' of taking power 
field element «<., GF(2^^) multiplier uses an array architecture 

to carryout the multiplication faster. The multiplier first form 

the product a.b where a = ^ ~ ^^.n-1' ‘ ^ 

two field elements, A (2n-l)-bit product vector is first obtai 

ned ’ Subsequently ... 

are reduced modulo the primitive polynomial p(«X), specif i®'^ 

coefficients f = hardware required is of 

the nrder.O(n^) and it takes (n-1) .t time delays, where t - tota 

delav for one AIID and Ex-OR gates (Fig. 6.6). Initially the a 

and ■-> registers are loaded with o< and then a series of 'Square 

'Mul'-.iply' operations are performed using the multiplier. 

('■ctc 6.7 

all Os detector overrides the exponentiator output. (.Jjry 
6.8) . To carryout one exponentiation a maximum of 64 multiple 
cations are to be executed. Each multiplication takes a wors 



80 


case time of ^ 2 p sec, using LSTTL. Hence a total of 64x2x4 
p sec. are requireoi to carryout 4 rounds of the cipher trans- 
formation. 

Key is moved into the key Registers, Plaintext data is 
moved into the Plaintext Register, and the ciphertext is loaded 
at the end of each transformation and moved out bytewise seria- 
lly. (Pig. 6.7 and 6.9). The Plaintext is loaded into Left and 
Right Registers and the cipher transformation is carried out in 
parallel with I/O operations. This pipeline architecture 
provides a good speed of 125 k bits for LSTTL version and 250 
k biis for STTL version. (Fig. 6.10). 



81 


L 

R 

D 

D 





^ 31 * ••^ 1^0 




'LS283 4-bit Full Adder Specifications: 

Max, delay from CO to : 24 nsec 

” CO to C4 ; 17 nsec 

" A^ or to ; 24 nsec 

“ or to C4 : 17 nsec 

Worst case addition delay (32 bit words) : 143 nsec 

32 


Fig. 6.5. Addition Modulo 2 






•tiplication delay (n « 32 bits) 
(n-l).(Sum of AND and Ex-OR gate delays 
3 1x50 nsec * 1.55 usee. 












83 


















84 


m 





E^po ne t <'a.fro V- , 




SXSX S s s S S s s 


S’-%uav'€ ^ X- 


Pig. 6,8. GF(2^^) Exponent! ator Timing Diagram 








pYixme. clooK i ! I I 



Fig. 6.g 






86 


Plaintext (Input) 


64 bit 
Blocks 





4 


• Shows this part is active 

* Shows transfer of data 


Each Multiplication in GF(2^^) takes ^ 2 usee. 

32 

Each Exponentiation takes 64 Multiplications in GF{2 ) 128 use* 

Cipher Transformation on a block of 64 bits requires 4 rounds 

32 

of exponentiation in GF(2 ) ^ 128x4 = 512 usee. 


Throughput 


64 

512x10“^ 


125 kbits (LSTTL version) 
250 kbits (STTL version) 


Fig . 6,10. 


Pipeline Operation, 




CHAP'IER 7 


CONCLUSION 


As permutations from the symmetric group on N = 2^ 
members of a n bit binary vector^ chosen randomly provides a 
strong cipher system# a hardware realisation is attempted. 
Elegant methods of mapping integer x (0 £ x ^ N *. -1) into 
permutation are presented and these offered very simple set up 
algorithm for a hardware permutation network. However the 
hardware complexity of these schemes are shown to be, too hig}\. 

As t'le number of permutations 2^j of is far too high than the 
size of the key space one could handle# quasi-random permutations 
out of were considered as candidates for the cipher system. 

A v/ay to choose these out of using white binary sequences of 
2^^ Length is postulated. It is shown using cyclic difference 
set concepts that it is possible to obtain these 2 ^ length I 

seq lences from the well studied (2’^-l) sequences obtained through! 
(2^-1, 2^“^)-cycliG difference sets. Generalising the i 

re It lead to Galois Field GF(2^) transformation as the heart i 

of "he cipher system. This mapped the integers 0 to 2’^-l 
(rt. presented by n- tuple plaintext) to n-tuple representation of ! 

x)o o 2^—2 1 

Galois Field elements a #or,,..a . The hard problem of ; 

taking logarithm in GF(2^) is circumvented by the use of I 

I 

•i^ivolution' operation. The resultant cipher system# having a | 



88 


large key space and cryptographic strengths is shown to be rea- 
lisable in hardware of reasonable complexity. Further the result 
indicates that the system can be configured for any value of n, 
thus putting no restrictions and if need be the design is exten- 
dable to higher values of 'n*. A particular hardware realisa- 
tion of the same is proposed in detail for n = 64 using presently 
available MSI/LSI chips. A low power Schottky TTL version is 
capable of operating at 125 k bits/sec and a Schottky TTL version 
is capable of reaching 250 k bits/sec. 

7.1 Results 

. Cryptographically good permutation tables can be obtai- 
ned through Galois Field GP(2^) computation, 

. Hardware and time complexity of the proposed final 
cipher system is polynomial and is capable of operating at 250 
k bits/sec using STTL ICs. 

7.2 Scope for Further Work 

Concerted cryptanalytic attack on the proposed system 
could be carried out as future work. This will highlight the 
strength and weakness, if there are any, of the system. These 
might pave way to a polynomial time solution to cryptanalysis, 
in which case the cipher system is proved useless. 

Only 'acceptable' solutions were obtained extending the 

results of already existing cyclic difference set results, 

% 



Theoretical solutions to near-ideal 2^ length sequences could 
be pursued. If this leads to results generalisable for all 
value of n, then these are better solutions to the problem. 
However on getting the solution one has to explore the possi- 
bility of translating the algorithm into a reasonable sized 
hardware. 

The cipher system was derived through cyclic difference 
sets. This implied that cyclic shifts are to be used as the 
key space and necessiates the use of carry look ahead adder as 
a component of the system. If one could get a similar solution 
based on dyadic difference sets, then this will lead to faster 
and simpler hardware. The difficulty one faces here is that 
dyadic systems are defined only for values which are powers of 2 
and hence no such approach as extending results of (2^-1) length 
designs are possible as they don't exist. 

Integrated circuit technology is taking strides and one 
could think of 10^ devices in a silicon chip. A VLSI realisa- 
tion of the hardware could be attempted. However one might have 
to modify the detailed implementation presented here to one 
that can be laid out with ease. 



REFERENCES 


[ l] M. Abramowitz and I, A. Stegun, Handbook of Mathematical 
Functions# NY: Dover Publications, 1965. 

[ 2 ] L. Adleman, "A Subexponential Algorithm for the Discrete 

Logarithm Problem with Applications to Cryptography", 
in Proc, IEEE 20th Annual Symposium on Foundations 
of Computer Science, 1979, pp. 55-60. 

[ 3 ] T.C. Bartee and D.I, Schneider, "Computation with Finite 

Fields", Inform, contr., Vol. 6, pp, 79-98, Mar. 1963. 

[ 4 ] I.F. Blake, R.C. Mullin and S.A. Vanstone, "Computing 

Logarithms in 01(2^^)," in Lecture Notes in Computer 
Science, Vol. 196s Advances in Cryptology, G.R. 
Blakley and D. Chaum, Ed., NY: Springer-Verlag, 

1985, pp. 73-82. 

[53 D. Coppersmith, "Fast Evaluation of Logarithms in Fields 

of Characteristic Two", IEEE Trans. Inform. Theory, 
Vol. IT-30, pp. 587-594, July 1984. 

[ 6] D. Coppersmith and E, Grossman, "Generators for Certain 
Alternating Groups with Applications to Crypto- 
graphy", SIAM J. Appl. Math., Vol. 29, No, 4, 
pp. 624-627, Dec. 1975. 

[ 7 ] D.E. Denning, Cryptography and Data Security, Reading, 

MAS ; Addison-Wesley, 1983 . 

[ s] W. Diffie and Mi.E, Heilman, "Privacy and Authentications 

An Introduction to Cryptography", Proc. IEEE, Vol. 

67, No. 3, pp. 397-427, Mar. 1979. 

[ 9 ] W. Diffie and M.E. Heilman, "New Directions in Cryptography", 
IEEE Trans. Inform. Theory, Vol. IT-22, No. 6, pp. 
644-654, Nov. 1976, 

[id S. Even and 0. Goldreich, "DES-like Functions can Generate 
the Alternating Group", IEEE Trans. Inform. Theory,. 
Vol. IT-29, No. 6, pp. 863-865, Nov. 1983. 

[ ll] R. Fuji-Hara, I.F. Blake, R.C. Mullin and S.A. Vanstone, 
"Computing Logarithms in Finite Fields of Charac- 
teristic Two", SIAM J. Appl. Math., Vol, 29, No. 4, 
pp. 624-627, Dec. 1975. 




91 


C 12] 

[13] 

[14] 

[15] 
[ 16 ] 

[17] 

[18] 

[19] 

[ 20 ] 
[ 21 ] 

[ 22 ] 

[23] 


J.A. Gordon and H, Retkin, "Are Big S-boxes Best?" in Lecture 
Notes in Computer Science, Vol. 149s Cryptography, 
Thomas Beth, Ed., NYs Springer-Verlag, 1983, pp, 
257-262. 

H. Gupta, Selected Topics in Number Theory, Kent, England s 
Abacus Press, 1980. 

J.K. Holmes, Coherent Spread Spectrum Systems, NYs John 
Wiley, 1982. 

V. Krishnamurthy, Combinatorics s Theory and Applications, 

New Delhi-Madras s EWP, 1985. 

D.E. Knuth, The Art of Computer Programming, Vol. II s 

Seminumerical Algorithms, Reading, MA s Addison- 
Wesley, 1981, 

A. G. Konheim, Ciryptography s A Primer, NYs John Wiley, 

1981. 

B. A. Laws and C.K. Rushforth, "A Cellular-Array Multiplier 

for GF(2i^)," IEEE Trans. Comput., Vol. C-20, pp. 
1573-1578, Dec. 1971. 

F.J. MacWilliams and N.J.A, Sloane, "Pseudo-random Sequen- 
ces and Arrays", Proc. IEEE, Vol, 64, pp. 1715-1729, 
1976. 

W. W. Peterson, Error-Correcting Codes, Cambridge, MASs MIT 

Press, 1961. 

S.C. Pohlig and M.E. Heilman, "An Improved Algorithm for 

Computing Logarithms over GF(p) and its Cryptograp- 
hic Significance", IEEE Trans. Inform. Theory, 

Vol. IT-24, pp. 106-110, 1978. 

R.L. Rivest, L. Adleman and M.L. Dertonzos, "On Data Banks 

and Privacy Homomorphisms" , in Foundations of Secure 
Computation, R.A. Demillo, Ed., NYs Academic Press, 
1978, pp. 169-179. 

C. E. Shannon, "Communication Theory of Secrecy Systems", 

Bell Syst. Tech. J., Vol. 28, pp. 656-715, Oct. 1949. 

N.J.A. Sloane, "Encrypting by Random Rotations", in Lecture 
Notes in Computer Science, Vol. 149s Cryptography, 
Thomas Beth, Ed., NYs Springer-Verlag, 1983, pp. 
71-128. 


[ 24 ] 



92 


[25] W.D. Wallis, A.P, Street and J.S. Wallis, Combinatorics; 

Room Squares, Sum-free Sets, Hadamard matrices. 
Lecture Notes in Mathematics, Vol. 292, NY; Springer- 
Verlag, 1972, ' 

[26] C.C. Wang, T.K, Truong, H.M. Shao, L.J, Deutch, J.K. Omura 

and I.S, Reed," VLSI Architectures for Computing 
Multiplications and Inverses in GF(2’^)", IEEE Trans, 
Comput., Vol. C-34, pp, 709-716, Aug. 1985. 

[ 27 ] C.S. Yeh, I.S. Reed and T.K. Truong, "Systolic Multipliers 

for Finite Fields GF(2^)", IEEE, Trans. Comput,, 

Vol, C-33, pp, 357-360, Apr. 1984. 

[28] N. Zierler and J. Brillhart, "On Primitive Trinomials 

(Mod 2)", Inform, and Contr., Vol, 13, pp. 541-554, 

1968. 

[29] N. Zierler and J. Brillhart, "On Primitive Trinomials 

(Mod 2)", Inform, and Contr., Vol. 14, pp. 566-569, 

1969. 

[”30*1 The TTL Data Book for Design Engineers, Texas Instruments, 
Texas; 1976, 

p3fj TTL Data Book, National Semiconductor Corporation, CA;1976. 



Appenaxx t ai 

List of Galois Field Elements and Difference Sets 
Table Al.l GP(2^) 


Power 

representation 


5-- tftple representation 



p (X) » 1+X+X^+X^+X^ p (x) = 1 +X^+X^ 


^ c i g'^ g^ a 1 


0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

0 

g® 

0 

0 

0 

0 

1 

0 

0 

0 

b 

1 

0 

0 

0 

0 

1 


0 

0 

0 

1 

0 

0 

0 

0 

1 

0 

0 

0 

0 

1 

0 

a;2 

0 

0 

1 

0 

0 

0 

0 

1 

0 

0 

0 

0 

1 

0 

0 

a3 

0 

1 

0 

0 

0 

0 

1 

0 

0 

0 

0 

1 

0 

0 

0 

a* 

1 

0 

0 

0 

0 

1 

0 

0 

0 

0 

1 

0 

0 

0 

0 

a ^ 

0 

1 

1 

1 

1 

1 

1 

0 

1 

1 

0 

1 

0 

0 

1 

a ^ 

1 

1 

1 

1 

0 

0 

1 

1 

0 

1, 

1 

0 

0 

1 

0 

a 7 

1 

0 

0 

1 

1 

1 

1 

0 

1 

0 

0 

1 

1 

0 

1 

a 8 

0 

1 

0 

0 

1 

0 

1 

1 

1 

1 

1 

1 

0 

1 

0 

a9 

1 

0 

0 

1 

0 

1 

1 

1 

1 

0 

1 

1 

1 

0 

1 

g ^ 

0 

1 

0 

1 

1 

0 

0 

1 

1 

1 

1 

0 

0 

1 

1 

gll 

1 

0 

1 

1 

0 

0 

1 

1 

1 

0 

0 

1 

1 

1 

1 

g ^ 

0 

0 

0 

1 

1 

1 

1 

1 

0 

0 

1 

1 

1 

1 

0 

gl3 

0 

0 

1 

1 

0 

0 

0 

0 

1 

1 

1 

0 

1 

0 

1 

g 

0 

1 

1 

0 

0 

0 

0 

1 

1 

0 

0 

0 

0 

1 

1 

in 

1 

1 

0 

0 

0 

0 

1 

1 

0 

0 

0 

p 

1 

1 

0 

a 16 

1 

1 

1 

1 

1 

1 

1 

0 

0 

0 

0 

1 

1 

0 

0 

gl7 

1 

0 

0 

0 

1 

0 

1 

0 

1 

1 

1 

1 

0 

0 

0 

gie 

0 

1 

1 

0 

1 

1 

0 

i: 

1 

0 

1 

1 

0 

0 

1 

a 19 

1 

1 

0 

1 

0 

1 

0 

1 

1 

1 

1 

1 

0 

1 

1 

a 20 

1 

1 

0 

1 

1 

1 

0 

1 

0 

1 

1 

1 

1 

1 

1 


1 

1 

0 

0 

1 

1 

0 

0 

0 

1 

1 

0 

1 

1 

1 

g 

1 

1 

1 

0 

1 

1 

1 

0 

0 

1 

0 

0 

1 

1 

1 

g23 

1 

0 

1 

0 

1 

0 

1 

0 

0 

1 

0 

1 

1 

1 

0 

a2< 

0 

0 

1 

0 

1 

1 

0 

0 

1 

0 

1 

1 

1 

0 

0 

a 26 

0 

1 

0 

1 

0 

1 

1 

1 

1 

1 

1 

0 

0 

0 

1 

g26 

1 

0 

1 

0 

0 

0 

0 

1 

0 

1 

0 

1 

0 

1 

1 

a 27 

0 

0 

1 

1 

1 

0 

1 

0 

1 

0 

1 

0 

1 

1 

0 

a 28 

0 

1 

1 

1 

0 

1 

0 

1 

0 

0 

0 

0 

1 

0 

1 

a 29 

1 

1 

i 

0 

0 

1 

0 

0 

1 

1 

0 

1 

0 

1 

0 

30 

a 

1 

0 

1 

1 

1 

1 

1 

1 

0 

1 

1 

0 

1 

0 

0 


D 

D 

P 

D 


( 4 . 5 . 7 . 9 . 12 . 16 . 18 . 19 . 20 . 21 . 22 . 24 . 25 . 28 . 29 . 30 ) 

( 4 . 6 . 7 . 9 . 11 . 15 . 16 . 17 . 19 . 20 . 21 . 22 . 23 . 26 . 29 . 30 ) 

( 4 . 6 . 8 . 9 . 10 . 12 . 13 . 17 . 18 . 19 . 20 . 21 . 24 . 25 . 27 . 30 ) 
( 1 , 6 , 8 , 10 , 11 , 12 , 14 , 15 , 19 , 20 , 21 , 22 , 23 , 26 , 27 , 29 ) 


Table A1.2 GP(2^) primitive polynomial p{X) ■ l+x^+x^ 


Power 6 -"txiple representation 

representation 

a i 


Power 

repre- 

sentation 


6->_tl?>le represen- 
tation 

et^ « i 


0 


ao 


a 

a 

a 

a 


a 


a. 

a 

a 

a 

a 

a 


a 


a 

a 

a 

a 

a 

a 

a 

a 

a 

a 


1 

2 

3 

4 

5 

6 

7 

8 

9 

10 
11 
12 

13 

14 

15 

16 

17 

18 

19 

20 
21 
22 


a 

a 

a 

a 


23 

24 

25 

26 


a 

a 

a 

a 


27 

28 

29 

30 


0 

0 

0 

0 

0 

0 

1 

1 

1 

1 

1 

1 

0 

1 

0 

1 

0 

1 

1 

0 

0 

1 

1 

0 

1 

1 

1 

0 

1 

1 

0 

1 


0 

0 

0 

0 

0 

1 

0 

0 

p 

0 

0 

1 

1 

1 

1 

1 

1 

0 

1 

0 

1 

0 

1 

1 

0 

0 

1 

1 

0 

1 

1 

1 

4 

D 


0 0 0 0 

0 0 0 1 

0 0 10 

0 10 0 
1 0 0 0 

0 0 0 0 

0 0 0 0 

0 0 0 1 

0 0 11 

0 111 
1111 
1111 
1111 
1-110 
110 1 
10 10 
0 10 1 

10 10 
0 10 1 

10 11 
0 110 
110 0 
10 0 1 

0 0 11 

0 110 
110 1 
10 11 
0 111 
1110 
110 1 
10 11 
0 110 


a 


31 


a 


a 


32 

33 

34 

35 

36 


a 
a 
a 

a 37 
a 38 
a 39 
40 


a 

a 

a 

a 

a 

a 


41 

42 

43 

44 

45 
a 46 
a *7 
a 48 
a 49 
a 

a 51 

a 52 


a 


53 


a 54 

55 


a 

a 

a 

a 

a 


56 

57 

58 

59 

60 
a 61 
^ 62 


a 


0 0 110 1 

0 110 10 
110 10 0 

0 0 1 0 0 1 

0 10 0 10 
10 0 10 0 

10 10 0 1 

110 0 11 

0 0 0 1 1 1 

0 0 1110 
0 1110 0 
1110 0 0 

0 1 0 0 0 1 

1 0 0 0 1 0 

10 0 10 1 

10 10 11 

110 111 
0 0 1111 
0 11110 
11110 0 
0 110 0 1 
1 1 0 0 i:. 0 

0 0 0 1 0 1 

0 0 10 10 

0 10 1*00 
10 10 0 0 

1 1 0 0 0 1 

0 0 0 0 1 1 

0 0 0 1 1 0 

0 0 110 0 
0 110 0 0 
1 1 0 0 0 0 


I 


-a X5,6,7,8,9,10,12 
33,36,37,38,42, 


,14,16rl7#20,21,23,24,25,27,28,30| 
44,45,46,47,50,52,56,57,62) ; 



91926 



